From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Wednesday, February 18, 2009
7:21 PM
To: John Bradley
Cc: imi@lists.oasis-open.org;
Michael McIntosh; Mike Jones
Subject: Re: [imi] Hopefully last
change to the IMI spec before producing a Committee Draft
I think it should be a RECOMMENDED and not a SHOULD
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
John Bradley
---02/18/2009 09:18:17 PM---Yes, Not disclosed to RPs, Cardholders or anyone
else.
From:
|
John Bradley <jbradley@mac.com>
|
To:
|
Michael
McIntosh/Watson/IBM@IBMUS
|
Cc:
|
Anthony
Nadalin/Austin/IBM@IBMUS, "imi@lists.oasis-open.org"
<imi@lists.oasis-open.org>, Mike Jones
<Michael.Jones@microsoft.com>
|
Date:
|
02/18/2009 09:18 PM
|
Subject:
|
Re: [imi] Hopefully
last change to the IMI spec before producing a Committee Draft
|
Yes, Not disclosed to
RPs, Cardholders or anyone else.
The question is how much detail we
need in the spec itself for a SHOULD.
As long as the spec is clear I am
OK with the long form of the explanation of this being in the accompanying
document.
John B.
On 18-Feb-09, at 11:07 PM, Michael
McIntosh wrote:
John Bradley <jbradley@mac.com> wrote on
02/18/2009 08:51:08 PM:
> The important points are that it is card
specific entropy stored by
> the IdP and never disclosed to RPs in any
way.
Actually, this entropy needs to be treated as a
secret and it should be [pseudo]random. The danger is not from RPs but from
other cardholders from the same IdP.
Regards,
Mike