Shibboleth Developers

[Nate Klingenstein <>]

Round two!

The feedback has been very useful.  I've made the following decisions  
and changes in addition to the ones that I've already stated over the  
weekend, factoring in feedback both on- and off-list.

Added the following to the background to address Diego's concerns  
about different TLS configuration/CA requirements and the impact on  
the user experience.  "Deployments should minimize user interaction  
and avoid mutually conflicting CA requirements by coordinating  
certificate issuance and TLS configuration."

Changed many references from "web browser" to "[HTTP] user agent".   
This should generalize the profile to encompass non-web-browser HTTP  
user agents, but if I were to expand this to include any application- 
layer protocol I think it would be too hopelessly broad, leaving  
little to profile.  SOAP over HTTP already has good protocols and  
profiles to choose from.  I retained the name "Web Browser" and the  
associated identifying URN for consistency with the existing profile,  
but I'm not certain that's best.

Hope you guys like it,
Nate.

Attachment: draft-sstc-saml-keyed-browser-sso-wd-01.pdf
Description: Adobe PDF document