Shibboleth Developers

[Tom Scavo <>]

On Wed, 30 Mar 2005 12:51:09 -0500, Scott Cantor 
<>
 wrote:
> 
> I guess there's a possibility we could push the TC to adopt and bless your
> profile/extension. The current profile that BAH is proposing, while similar,
> isn't exactly lining up. It doesn't support push, and it also uses
> holder-of-key subject confirmation, although I suppose you could adopt that
> part without really breaking anything you're doing.

(The following is my own personal opinion.)  We can and should build
on the BAH profile, but it sorely needs a rewrite.  It should build
squarely on existing specifications such as SAML 2.0 Metadata and the
Assertion Query/Request Profile.  Moreover, the security requirements
of the BAH profile are too strict for our use case (and in general, I
believe).  If these issues aren't addressed in the next draft (is a
2nd draft forthcoming?) we will probably have to write our own.

Tom

PS. "BAH" stands for "Booz Allen Hamilton", the author of "SAML X.509
Authentication-based Attribute Sharing Profile":
http://www.oasis-open.org/committees/download.php/11323/sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-02.pdf