[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL
On a related but not identical note, as long as we're discussing the potential for changes in this general area, we should probably clarify whether the front-channel bindings of the other protocol profiles should make use of the Response element's Recipient attribute or if we should even keep it at all. In most cases, those messages are signed, so we could do this, but ID-FF protocols don't use such a feature and I'm not aware of any security exposures due to that, since the response messages are just "acks" and the request messages don't have a comparable sort of "binding" sanity check value inside them anyway. If anything, keeping it would probably argue for adding a comparable attribute to the request type and using it there with the HTTP bindings. Nothing to do with the Recipient attribute under discussion, but worth mentioning. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]