[wsf-dev] ECP test harness
Scott Cantor
cantor.2 at osu.edu
Fri Mar 14 14:08:36 PDT 2008
> I don't understand this. I thought the process was that the IdP could
> use what ever form of authentication they wanted to (like any of the other
> SSO profiles) and that the ECP would look at the response -- if it was an
> standard HTML message, it was passed to the browser (so it could be the
> IdP's login page). Later, the ECP would capture the authentication
> response from the IdP (so yeah, the ECP would have to peak at each message
coming
> back from the IdP if there was a hanging authnrequest looking for the
> response.
Maybe. I have never seen a client or talked to anybody that built one.
Nobody until now has ever challenged the idea that the profile was
incomplete. I wasn't even the first person to say it, but I took silence as
assent.
Like I said, if I'm wrong that's a good thing.
I always assumed, though, that as with Cardspace, the way to do ECP was to
create a uniform interface to collect the password rather than just
pass-thru existing pages. I realize that it takes more than that to stop
phishing, and that doing it in user-space isn't really an answer, but I
assumed part of the point was to make some progress at least.
Taking that idea a bit farther, I could imagine encrypting the credentials
using the key in the IdP's metadata to bypass any use of commercial SSL as a
means to verify the identity of the IdP site, etc.
That's the sort of stuff I always had in my head when thinking about ECP.
Maybe that was part of my problem.
-- Scott
More information about the Wsf-dev
mailing list