Shibboleth Developers

[Scott Cantor <>]

> Eh, but the POST contains a signed authentication assertion, 
> yes (or signed assertion containing an authn statement, to be 
> precise)?  You're saying that attr assertion signing is 
> broken?  Then how can authn assertion signing be working?

No, in Liberty the assertion is signed, but in SAML, the enclosing Response 
is signed but the assertion doesn't have to be (and
isn't really worth signing since it's short lived). The difference is that 
the signed data in SAML is the entire XML document, thus
the deficiencies in subsetting SAML for signatures aren't fatal, just time 
consuming to code around.

> Right, origins will want the new stuff, so interop with 0.8 
> origins isn't a big priority.
> 
> So unless others object I'd say go for it and we'll get the 
> guys in sharkskin to explain why it's better this way ...

Alright, I'm occupied with Liberty 'zillas and some other local work, plus 
testing Walter's code and some more load testing here, so
there's a bit of time before I dive in. Probably need to peruse the OpenSSL 
book anyway to see what I'm in for.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--