Shibboleth Developers

["Scott Cantor" <>]

> (The following is my own personal opinion.)  We can and should build
> on the BAH profile, but it sorely needs a rewrite.

No argument.

> It should build
> squarely on existing specifications such as SAML 2.0 Metadata and the
> Assertion Query/Request Profile.

Well, nobody but us seems to really push the metadata angle, but in their
defense, they didn't have the metadata extension for queries. I've already
pushed what you gave me into a vote so that it gets in place as quickly as
possible. It's got a ballot open now to give it official but non-standard
status.

I do wish they'd have just written it in a more layered fashion.

> Moreover, the security requirements
> of the BAH profile are too strict for our use case (and in general, I
> believe).  If these issues aren't addressed in the next draft (is a
> 2nd draft forthcoming?) we will probably have to write our own.

Yes, he has created a basic mode that isn't as strict re: encryption, but
right now the draft I saw (unpublished) still has all kinds of weird signing
rules, and it still requires holder of key.

I was hoping, but you know...

-- Scott