>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> You might need to unpack that for me. I agree that the value of
>> CUI is not scoped explicitly, but the IDP scope can be obtained
>> from the RADIUS context. That can be enforced by the trust router
>> network.
Stefan> In a trust router network context one could draw that
Stefan> conclusion, yes, especially considering the SP and IDP make
Stefan> a point-to-point connection.
Well, no.
I get an opaque identifier from the IDP at the RP-side proxy.
How do I decide whether I should permit that value to go towards the RP?
The RP is likely to have this value on ACLs and the like. I need to
enforce that no two IDPs can have the same value.
I know which IDP it's coming from, but we have not proposed a mechanism
to make this safe to use.
|