Shibboleth Developers

At 12:10 PM -0500 11/19/03, Scott Cantor wrote:
> On 11/18/03 11:38 AM, 
> ""
>  
> <>
> wrote:
>
> >  I think there are a few concerns here, including the one you mention:
> >
> >  1) developing a non-browser based profile.
> >
> >  2) apps like the LionShare client/server (ie apps using an over the
> >  wire protocol other than HTTP/SOAP) are going to have to figure out
> >  how to transport  SAML assertions from one end to the other...
> >  presumably by binding these assertions in  some fashion to their
> >  existing protocol.... this is their problem,  not ours (-:
>
> It's more subtle than that, though. Just binding assertions to messages is
> the kind of thing WS-Security does. But if you don't define what's in them,
> when you can get them, and how you prove the right to use them, you don't
> get any security for your application.

Agreed -- I see defining "what's in them,  when you can get them" as 
defining some extensions to the basic protocol.

Its the other item -- "how you prove the right to use them"  -- that 
seems rather difficult in this case.

Can we imagine anything as "proof", beyond  possession of a short-lived token?