On 11/08/2012 09:49 PM, Sam Hartman wrote:
>>>>>> "Leif" == Leif Johansson <[email protected]> writes:
> Leif> On 11/08/2012 09:39 PM, Sam Hartman wrote:
> >>
>> Klaas> Also speaking as an individual. I do support the idea of
> Klaas> using RadSec. However, I think that one reason why one would
> Klaas> be willing to support SAML sigs is the simple fact that they
> Klaas> exist today and presumably organizations might be willing to
> Klaas> continu to use their existing practice for end to end
> Klaas> protection. I realize that in some scenarios it will be
> Klaas> impossible for the RP to verify the signature, but I'd say
> Klaas> that in the majority of cases this is not more of a problem
> Klaas> than it would be in RadSec (barring trust router
> Klaas> implementations).
> >>
> >> Sure, and for that reason, I think SAML sig validation
> >> implementation should be a SHOULD. But I think for an MTI
> >> mechansim we should pick something that actually protects the
> >> whole exchange.
> Leif> Still with no hat on whatsoever...
>
> Leif> You seem to be assuming a situation where attributes are
> Leif> sometimes sent as AAA-attributes and sometimes as
> Leif> SAML-attributes.
>
> no, I'm assuming that deployments have the flexibility as to whether to
> use AAA attributes or SAML attributes.
> Some of the use cases I'm looking at involve no SAML at all; some
> involve using SAML for everything.
>
> Having multiple ways to convey attributes was a fairly explicit decision
> here. It's true that it means attribute-container-specific security
> mechanisms lose value.
OK, then we're on the same page. Thx.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
