On 12 Dec 2011, at 17:06 , Klaas Wierenga wrote: > On Dec 12, 2011, at 4:59 PM, Nico Williams wrote: > >> On Mon, Dec 12, 2011 at 2:50 AM, Leif Johansson <[email protected]> wrote: >>> On 12/11/2011 06:43 PM, DIEGO LOPEZ GARCIA wrote: >>>> But in OpenID Connect the token is used to get access to the >>>> attributes, not for establishing trust beetwen the RP (the client >>>> in OpenID parlance) and the attribute source. As Alan stated, going >>>> this way you cannot get rid of the need for two parallel trust >>>> infrastructures, and I think that is the essential argument for >>>> transfrerring the SAML data inside RADIUS. >>> >>> Sorry. I thought dereferencing an attribute handle was exactly what >>> Nico was talking about here. >> >> Well. I was addressing part of the trust issue as well. Instead of >> simply getting a URI to dereference you'd also get some cryptographic >> metadata with which to authenticate either the location or the >> dereferenced data itself. > > yes, that is also what I had in mind when I talked about "trusted introducer"
The point here is how much information you'd have to put in such a handle to establish trust (in both directions) when dereferencing it, and the additional mechanisms at both sides. I guess it was Nico the one that mentioned that this could become "hairy"… Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D e-mail: [email protected] Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------------- Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at. http://www.tid.es/ES/PAGINAS/disclaimer.aspx _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
