>>>>> "Leif" == Leif Johansson <[email protected]> writes:
Leif> On 11/08/2012 09:39 PM, Sam Hartman wrote:
>>
>
> Klaas> Also speaking as an individual. I do support the idea of
Klaas> using RadSec. However, I think that one reason why one would
Klaas> be willing to support SAML sigs is the simple fact that they
Klaas> exist today and presumably organizations might be willing to
Klaas> continu to use their existing practice for end to end
Klaas> protection. I realize that in some scenarios it will be
Klaas> impossible for the RP to verify the signature, but I'd say
Klaas> that in the majority of cases this is not more of a problem
Klaas> than it would be in RadSec (barring trust router
Klaas> implementations).
>>
>> Sure, and for that reason, I think SAML sig validation
>> implementation should be a SHOULD. But I think for an MTI
>> mechansim we should pick something that actually protects the
>> whole exchange.
Leif> Still with no hat on whatsoever...
Leif> You seem to be assuming a situation where attributes are
Leif> sometimes sent as AAA-attributes and sometimes as
Leif> SAML-attributes.
no, I'm assuming that deployments have the flexibility as to whether to
use AAA attributes or SAML attributes.
Some of the use cases I'm looking at involve no SAML at all; some
involve using SAML for everything.
Having multiple ways to convey attributes was a fairly explicit decision
here. It's true that it means attribute-container-specific security
mechanisms lose value.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
