Hi, Lets take into account that SAML signature means that the idp does assert the attributes belongs to a user (subject). Radsec signature means you are authenticating a party, the idp. So it should be clearly specified when we can make use of one or another .
Beside, does it mean we finnaly needs a public key infrastructure? Enviado desde Samsung tabletLeif Johansson <[email protected]> escribió:On 11/08/2012 09:49 PM, Sam Hartman wrote: >>>>>> "Leif" == Leif Johansson <[email protected]> writes: > Leif> On 11/08/2012 09:39 PM, Sam Hartman wrote: > >> >> Klaas> Also speaking as an individual. I do support the idea of > Klaas> using RadSec. However, I think that one reason why one would > Klaas> be willing to support SAML sigs is the simple fact that they > Klaas> exist today and presumably organizations might be willing to > Klaas> continu to use their existing practice for end to end > Klaas> protection. I realize that in some scenarios it will be > Klaas> impossible for the RP to verify the signature, but I'd say > Klaas> that in the majority of cases this is not more of a problem > Klaas> than it would be in RadSec (barring trust router > Klaas> implementations). > >> > >> Sure, and for that reason, I think SAML sig validation > >> implementation should be a SHOULD. But I think for an MTI > >> mechansim we should pick something that actually protects the > >> whole exchange. > Leif> Still with no hat on whatsoever... > > Leif> You seem to be assuming a situation where attributes are > Leif> sometimes sent as AAA-attributes and sometimes as > Leif> SAML-attributes. > > no, I'm assuming that deployments have the flexibility as to whether to > use AAA attributes or SAML attributes. > Some of the use cases I'm looking at involve no SAML at all; some > involve using SAML for everything. > > Having multiple ways to convey attributes was a fairly explicit decision > here. It's true that it means attribute-container-specific security > mechanisms lose value. OK, then we're on the same page. Thx. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
