Shibboleth Developers

[Chad La Joie <>]

Message-level security might be a better solution in the future, but for
now it's out of the question as it would require a change in the Shib
protocol and that would be bad at this stage of the game.

Personally I'd like investigate something along this line in Shib 2.0
because I think it could help inter-operation between languages and help
reduce the risk that we might rely on some particular server/container
specific feature (it could also be a red-herring that just results in
nasty complexity).

For now though, the goal is just to get a standalone Tomcat server to
behave like an Apache/Tomcat set up.

Tom Scavo wrote:
> On 6/13/05, Chad La Joie 
> <>
>  wrote:
> 
>>Here's my question though, if we just pass the client-cert auth
>>employing request on, with the SSL info in the appropriate headers, for
>>the IdP to verify are we weakening the security that people expect from
>>the client-cert authentication?  Also, are the headers that we're
>>placing this data in defined in a standard (HTTPS standard perhaps)?
>>
>>My only concern with all this is portability to other containers.
> 
> 
> Have you considered message-level security instead?  Admittedly this
> is substituting one non-standard approach for another but WS-Security
> is inevitable, is it not?
> 
> Tom

-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124