shibboleth-dev - RE: Final Working Draft 01 of HoK Browser SSO
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Cc: "'Toshiyuki Kataoka'" <>
- Subject: RE: Final Working Draft 01 of HoK Browser SSO
- Date: Wed, 12 Mar 2008 11:08:21 -0400
- Organization: The Ohio State University
> I think the interesting difference is that in the classical artifact
> model the SP only authenticates the assertion that it resolves, not the
> transport used to deliver the artifact. SAMLBindings 3.6.5.2 (Security
> Considerations) states that '[t]he transmission of an artifact to and
> from the user agent SHOULD be protected with confidentiality' but makes
> no recommendation regarding authentication.
That's a given. TLS to the IdP is almost always used in lieu of a signature
over the assertion.
> In the HoK artifact model, you MUST authenticate both. Well, I guess you
> could authenticate the user-agent *after* the artifact is resolved, but
> that would seem to require a slightly different work-flow from that
> required by the other bindings.
As Nate said, there's no difference here at all. Artifact use is entirely
orthogonal to the HoK vs. bearer issue.
-- Scott
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- Re: Final Working Draft 01 of HoK Browser SSO, Nate Klingenstein, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
Archive powered by MHonArc 2.6.16.