On 2-Mar-06, at 7:10 AM, Hallam-Baker, Phillip wrote:
I forgot to mention, you can use the standard HTTP content negotiation
mechanism to select form encoded or SAML assertions in the exchange
between the relying party and the registry.
A good way to think of it is that the exchange between the relying
party
and the registry is simply a standard HTTP request/response. The only
difference is that the authentication data is provided by a different
party, the user that initiated the original request rather than the
relying party making the federated auth request.
The key advantage here is that the protocol is safe against
man-in-the-middle attacks, provided that is the user interface for the
browser does not allow a downgrade attack to BASIC auth. This is of
course a security failure that needs fixing regardless.
What this scheme does not provide is a way for the end user to control
the specific attributes that are released.
IMHO it is critical for the user to control the release.
LID et al have some mechanism for allowing site to query the registry
and have the user control the release (which I don't fully understand)
I think there is something from your previous post though in how a
Rich Client can negotiate with the site leveraging existing standards.
-- Dick
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
