[mdx] on splitting the spec
Ian Young
ian at iay.org.uk
Tue Oct 1 06:19:28 PDT 2013
On 1 Oct 2013, at 13:58, Tom Scavo <trscavo at gmail.com> wrote:
> On Tue, Oct 1, 2013 at 6:25 AM, Ian Young <ian at iay.org.uk> wrote:
>>
>> * The whole SHA-1 identifier thing ends up as a MUST as a result of a feature within SAML. There does not seem to be a corresponding use case for other forms of metadata, so perhaps implementations could dispense with this potential security issue if they weren't serving SAML metadata. We certainly need to at least mention SAML in the justification for including the feature.
>
> It's not SAML metadata considerations that require SHA-1 hashed
> identifiers, it's metadata used to drive SAML Web Browser SSO. JSON
> metadata could be used for this purpose. Likewise SAML metadata could
> be used to drive OpenID Connect flows.
That's true in principle, but doesn't seem to be relevant in practice, at least today.
Is this just an observation, or are you suggesting that the use case of an entity processing SAML 2.0 artifact flows that is unable to interpret SAML 2.0 metadata is important enough that we can't live without SHA-1 transformed identifier support for all metadata types?
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://lists.iay.org.uk/pipermail/mdx-iay.org.uk/attachments/20131001/42f57c53/attachment.bin>
More information about the mdx
mailing list