On 11/08/2012 09:39 PM, Sam Hartman wrote:
>
>
> Klaas> Also speaking as an individual. I do support the idea of
> Klaas> using RadSec. However, I think that one reason why one would
> Klaas> be willing to support SAML sigs is the simple fact that they
> Klaas> exist today and presumably organizations might be willing to
> Klaas> continu to use their existing practice for end to end
> Klaas> protection. I realize that in some scenarios it will be
> Klaas> impossible for the RP to verify the signature, but I'd say
> Klaas> that in the majority of cases this is not more of a problem
> Klaas> than it would be in RadSec (barring trust router
> Klaas> implementations).
>
> Sure, and for that reason, I think SAML sig validation implementation
> should be a SHOULD. But I think for an MTI mechansim we should pick
> something that actually protects the whole exchange.
Still with no hat on whatsoever...
You seem to be assuming a situation where attributes are sometimes
sent as AAA-attributes and sometimes as SAML-attributes.
I think what we're seeing is a negative consequence of that design-
choice in that it is now impossible to use existing deployments of SAML-
trust infrastructure to protect all forms of attribute exchange.
Please correct me if I got any of that wrong.
Cheers Leif
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
