RE: [saml-dev] phishing the DS protocol

["Scott Cantor" <cantor.2@osu.edu>]

> Hmm, well that is not the response I was expecting :-) so let me try
> again. If you deployed an instance of the DS, and you found that it
> did not check the above, would you be concerned enough to do anything
> about it?

Yes.

> > Could have been a "MUST implement", didn't really think about it.
> 
> I'm not sure why you're making this distinction. SAML Core is pretty
> clear about the consumer service URL, for instance. Why is this any
> different?

It's a different check for a much more security-relevant reason, but the ACS
checking is also an example of SAML being strict to satisfy people that care
about security and leading people who don't (the OpenID crowd) to throw
stones at it as a result. In practice, the ACS check is also optional (e.g.,
IdPs that issue responses to "unknown" services).

The language was well intentioned but absolutes and policy don't mix that
well.

-- Scott