Re: [KAML] Reminder: BOF proposals to me by October 1

"Tom Scavo" <> Sat, 17 November 2007 00:02 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1ItB8w-0004mC-FM; Fri, 16 Nov 2007 19:02:38 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1ItB8u-0004jb-FP for; Fri, 16 Nov 2007 19:02:36 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1ItB8q-0007dP-TI for; Fri, 16 Nov 2007 19:02:36 -0500
Received: by with SMTP id 31so378982huc for <>; Fri, 16 Nov 2007 16:02:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=1Iy9LBVfNmnexaXQw+E7mbbz5UfvJI0A1xONLtnBdmQ=; b=Ja3EmF9buHdem8boVKVVSgB8BaT0msMAlM3CF9ljApOz3KkbYLA2IJFNyPVP1iT2YPmZzlQEI89RZyd/Bm3CnLXK+Lq0DtSFx5xTKqyD7MVztJGUZ7PAB12Px1MGEURQTQC1tK/VQPL8K6C7KlflHs/Xl4ko7ezTnRmAh7aR/TU=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qEj07yjjd4aJl6UioUWELueOiLj7/NBIeSIvqB6WxM68dTVnlAMq66q8y9GxK47Zhbh47GxbhlxBTlxFyC5Sly9uqkRKXEMd90euaQW/XpLeB19CHa9tDpHdNz7Or6vFiE3Ie1fxzDRBQUTqeeWRuxZPdo9fkmHZGwB3/oAFapQ=
Received: by with SMTP id m6mr6281805buf.1195257751782; Fri, 16 Nov 2007 16:02:31 -0800 (PST)
Received: by with HTTP; Fri, 16 Nov 2007 16:02:31 -0800 (PST)
Message-ID: <>
Date: Fri, 16 Nov 2007 19:02:31 -0500
From: "Tom Scavo" <>
To: "Josh Howlett" <>
Subject: Re: [KAML] Reminder: BOF proposals to me by October 1
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <> <> <> <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Cc:, Paul Rabinovich <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Nov 16, 2007 5:54 PM, Josh Howlett <> wrote:
> >
> > With regard to (1), I think you're missing the point, Josh.
> > How the LoA is carried in the SAML assertion is a technical
> > detail, not a matter of policy.
> My point was that if the <LoA token> can be acquired post hoc then the
> Relying Party can decide itself what is the necessary token(s), rather
> than relying on the TGS to choose what it believes is appropriate. The
> fire-and-forget approach does not provide room for agility.

I don't believe it works that way, Josh.  An RP that resolves a token
reference receives the same token that would otherwise be received by
value.  The act of authentication has already taken place, so there is
very little wiggle room, in fact.  You may as well push the token up
front in that case.

> I believe that what constitutes an appropriate <LoA token> depends on
> what the Relying Party in question feels is necessary to satisfy their
> policy, and so binding these semantics arbitrarily to the transport
> protocol seems unnecessarily restrictive. Let them choose! AuthN
> context, attribute or moon phase....

I think you're mixing two separate issues:

1. How to bind an LoA token to a SAML assertion.
2. How to transmit a SAML assertion to an RP.

I don't really care how (1) plays out, and it isn't really relevant
here anyway, but I have strong opinions about (2).  It's clear to me
(YMMV of course) that pushing the security information by value is
preferred.  I've learned this after almost three years of effort
trying to integrate SAML and X.509.

Tom Scavo

KAML mailing list