Tuesday, June 20, 2006

Dial 'N' for NoSig

Jeff Hodges & Scott Cantor have created a proposal for a new SAML Binding - most notable for its optional use of XML Signature.

Jeff's description for the SSTC was
The central thesis is that for various implementation and deployment scenarios, reliance upon XMLdsig is an inhibitor.
I think of this binding as the SAML community turning down the security dials on the protocols (or more accurately ensuring that they can be turned down in an interoperable manner) - lower settings appropriate in some situations.

I don't know just how much effort was expanded by Scott & Jeff on this work - I do know that far more would have been required to be "adding" security at this point.

As is true for haircuts - you get into trouble if you take too much off the first time.

UPDATE - Pete Rowley reminds me that hair grows back. Pete, you obviously have a fine head of hair - I myself am working through what my wife refers to as a 'Kramer period'. Nevertheless, I think we should remain sensitive to the security entitlements of those less fortunate than ourselves.

And with respect to my hairdressing ambitions, I worked through those in my university days cutting my own hair in the mirror to save beer money. As for identity, sometimes its better to delegate to a professional.

No comments: