I agree that is an option; and it wouldn't be the end of the world if that's where we end up. But I believe it would impede interoperable deployments because it defers this discussion to implementers and users who won't, on the whole, care about or understand the issues. I would prefer to have a simple interoperable solution that works for 99% of the users than a less constrained but accordingly more complex solution that satisfies the remaining 1%.
(This is, as I understand it, the reason why the SAML community ended up with the 'Metadata Interoperability Profile'; which constrains the possible expressible trust semantics of SAML 2.0 federation metadata to facilitate interop). Josh. On 02/10/2012 17:03, "Stephen Farrell" <[email protected]> wrote: > >I had a quick look at the -03 draft and I'm confused. > >Are "ignore signatures is the MUST implement" and >"MUST NOT sign" the only real options? > >For example, I don't get why "IdP MAY sign + >RP is NOT REQUIRED to verify signature + >RP MUST implement signature verification" >is not an option. (Assuming you add text that >justifies why hop-by-hop integrity is ok.) > >Note: I'm not saying that the above is what >you ought do, I'm saying I don't get why its >not possible. > >S. > >On 10/02/2012 04:47 PM, Sam Hartman wrote: >> OK, I'm with Josh. This is going to be one of those cases where digging >> in heals now and saying MUST NOT sign will save us political grief >> later. A lot of people like Stephen are going to look at ignore >> signatures and complain, where as they would be more willing to accept >> that we're simply not using per-message signatures at all. It's >> unfortunate because I do think there ar situations where signatures are >> valuable. However, I'm imagining that we're going to be having this >> argument again and again and again and it just won't be worth the cost. >> >> Janet is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
