[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Proposed clean up on subject text
> > What about the case of, say, an Attribute query over SOAP? An Attribute > > Authority will respond with an assertion saying that "the entity with > > identifier X has the following associated attributes". > > > > I don't imagine that subject confirmation would be included, because the > > referenced entity isn't part of the exchange. So, the default > > interpretation of that assertion should definitely not be "bearer". > > Right, that's my use case today. > > > I'd like to see text in core, section 2.4.1 "Element <Subject>", state > > that the absence of any SubjectConfirmation elements MUST be interpreted > > as having no correlation to any presenter of the assertion. Leaving it > > up in the air seems very dangerous to me. > > I'm happy saying it's just "unspecified", as Ron said...the authority is > making no statement about subject confirmation whatsoever. > > -- Scott So, you don't see any danger in a malicious party presenting such an assertion to another relying party that interpreted the spec's unspecificity is this area (which I don't see actually stated anywhere) differently -- as "bearer", for instance? This is my motivation for the MUST clarification. -- Steve Anderson OpenNetwork
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]