On Tue, Dec 15, 2009 at 4:34 PM, John Bradley <[email protected]> wrote: > It is true that HoK doesn't work through a browser at the moment.
What about when the selector is invoked because a user browses to a Web page that has an info card HTML object tag in it? When the selector sends that Web site relying party the security token, is that token and the HTML message signed/encrypted with a proof key by the selector? I've been told it can't be because the selector is out of the picture by the time the STS sends the RSTR. The selector requests the token, but the last mile is just HTML and JavaScript. The selector (a fat client), which has the technological wherewithal to sign and encrypt messages, is long gone by this point, so it can't do a HoK proof and the browser can't either. Thus, all security tokens presented to Web site relying parties are bearer tokens even when info card is used. Is this correct? -- Regards, Travis Spencer _______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
