I dont understand what your trust model is, if you dont have a PKI or a
trust router, then how can an RP trust any SAML metadata that it has
obtained from anywhere? It has to get this from a trustworthy source. I
thought that the trustrouter (admin) was this TTP. If not, then who is?
The federation authority was to my mind the trust router administrator,
and was responsible for mapping the IDP name to realm name.
The name of a SAML IDP is irrelevant if you dont have a trustworthy
source for this information. Similarly an unsigned key is also worthless
from a trust perspective unless you get it face to face from the owner.
regards
david
On 11/11/2013 16:57, Leif Johansson wrote:
On 11/11/2013 08:21 AM, David Chadwick wrote:
Here is the rationale for my answer
1. the user types in the name of the remote realm to the RP
2. the RP trusts the trust router to set up the DH keys with some
remote entity that purports to answer for this realm
We are not talking about trust router on this mailinglist at this time.
We're talking about using SAML metadata for abfab.
Do you have comments about name-to-key binding in that context?
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
