[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Token profile issue with AppliesTo and AudienceRestriction
I think the issue here is one of risk management. Clearly an issuer can issue any token it likes, and an RP/SP can reject any token it does not trust. But there should be a way of communicating the RP's requirements to the issuer. In this case if an RP is saying that it requests a token with an AppliesTo, one has to assume that this means the RP wont accept ie. risk trusting, a token that does not contain an AudienceRestriction. Thus the latter should be mandatory, if requested, since if the RP is not bothered either way, it need not ask for the appliesTo. Making the AudienceRestriction optional negates the purpose of the RP asking for it regards David Mike Jones wrote: > The SAML 2.0 token profile currently says: > > If the request contains a <wsp:AppliesTo> element, then a > <saml:AudienceRestriction> containing a <saml:Audience> element MUST be > included with the value of that element. > > > > As part of the review of the draft SAML 1.1 token profile, Arun Nanda > commented: “This is overkill IMO. If an IdP is an open IdP that issues > ‘unscoped’ tokens for consumption by any RP, it should not be forced to > encode an audience in the issued token just because the request included > it. So, may be SHOULD is preferred here…” > > > > I tend to agree with Arun. I think we should make this change. That’s > the language I’m using in the 1.1 profile. After discussion, I’ll file > an issue about this too. > > > > -- Mike > > > - ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]