Luchesar V. ILIEV wrote on 06/29/2010 02:21 PM:
> So, to summarize, the question is: how easy for the policy service
> would it be to check the SAN entries in the client certificate used in
> the SSL/TLS connection against the URL for which a policy is submitted
> through that secure channel?

I agree SSL is most probably the more sane way. But it is also more 
difficult to set up.
Currently, the A&A server runs as a virtual machine and SSL connections 
(which are as you know already possible) are currently handled by the 
host machine.
I would have to forward SSL to the guest machine, where OpenSSO can not 
be switched into "SSL mode" so easily.

Currently I have:
Tomcat webserver running as webapplication (WAR):
1) OpenSSO
2) Policy service

Let me check out how this would be possible- the policy service should 
not be the problem.

Best regards
Andreas