-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2011 06:43 PM, DIEGO LOPEZ GARCIA wrote: > > On 11 Dec 2011, at 12:09 , Leif Johansson wrote: >> 9 dec 2011 kl. 21:50 skrev Nico Williams >> <[email protected]>: >>> However, what could be done is that an attribute with a URI >>> could also have a digest of the thing to be fetched via HTTP, >>> and maybe a digest of the server cert or an intermediate CA for >>> it (or perhaps a key that the actual attribute payload will be >>> encrypted in, that way we can use plain HTTP). But this starts >>> sounding hairy. >>> >> >> Drop the cert bits and you're essentially describing the way >> openid connect uses a resource token (oauth) to de-reference >> attributes. > > But in OpenID Connect the token is used to get access to the > attributes, not for establishing trust beetwen the RP (the client > in OpenID parlance) and the attribute source. As Alan stated, going > this way you cannot get rid of the need for two parallel trust > infrastructures, and I think that is the essential argument for > transfrerring the SAML data inside RADIUS.
Sorry. I thought dereferencing an attribute handle was exactly what Nico was talking about here. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7lwFMACgkQ8Jx8FtbMZnfkIgCgiBGD9Rm3AaeA//kUF4BnZFvt eEsAoKGyunXcWgU+nX1mQNhYEdwKSANk =fzI7 -----END PGP SIGNATURE----- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
