[mdx] on splitting the spec
Tom Scavo
trscavo at gmail.com
Tue Oct 1 05:58:14 PDT 2013
On Tue, Oct 1, 2013 at 6:25 AM, Ian Young <ian at iay.org.uk> wrote:
>
> * The whole SHA-1 identifier thing ends up as a MUST as a result of a feature within SAML. There does not seem to be a corresponding use case for other forms of metadata, so perhaps implementations could dispense with this potential security issue if they weren't serving SAML metadata. We certainly need to at least mention SAML in the justification for including the feature.
It's not SAML metadata considerations that require SHA-1 hashed
identifiers, it's metadata used to drive SAML Web Browser SSO. JSON
metadata could be used for this purpose. Likewise SAML metadata could
be used to drive OpenID Connect flows.
Tom
More information about the mdx
mailing list