Bernard Aboba wrote:
> Why can't we send a URL pointing to the {SAML Assertion, Certificate}
> instead of sending the data itself?Sure. That may work. Sometimes. The RADIUS system may not be publicly accessible. So any web server has to be located somewhere else. And the RADIUS server needs a way to talk to it. Or, the firewall rules need to be updated to allow non-RADIUS requests to make it to the RADIUS server. And this has to be bi-directional, as both ends of the RADIUS conversation want to send large amounts of data to each other. I think the simplest answer is that RADIUS systems use RADIUS to exchange RADIUS data. Doing anything else requires talking to non-RADIUS people, which is hard. The downside of this draft is that some RADIUS implementations need to change. But they'd have to change *anyways* to use any URL scheme. Another issue is proxies. Some proxies are required to mangle the data they pass, for inter-operability reasons. Using RADIUS lets them do this. Using URLs means thet they either have to ignore the URL, or re-host it themselves. Relying on non-RADIUS systems means added complexity, and dependence on external systems. The RADIUS process becomes more fragile. > This is what was done in IKE to avoid fragmentation. I think the IPSec boxes are already "public" on the net. Requiring them to be closely tied to a public web server may be a simple step. Alan DeKok. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
