RE: [security-services] NameIDPolicy Format use clarification

["Scott Cantor" <cantor.2@osu.edu>]

> [RSP] Yes, but section 8.3 is the section where all identifiers are
> listed that "MAY be used in the Format attribute of the <NameID>,
> <NameIDPolicy>, or <Issuer> elements". Since encrypted can be used in
> <NameIDPolicy> I think it should be listed here for completeness, with
> the caveat that it is only permitted in <NameIDPolicy>.

I interpreted that sentence differently (as in, if it couldn't be used in
all those places, it didn't belong in that section).

My fear was that people *would* think you could use it any those elements
even if the text said you couldn't.

> [RSP] In Liberty ID-FF 1.2 it states that "of the formats defined in
> this specification, only federated name identifiers sometimes require
> encryption", so I have always presumed their use in that context.
> However, it actually did permit pre-1.2 identifiers to be encrypted by
> omitting the format or using "another unspecified value".

That's because Liberty didn't support traditional SAML identifiers, which
are just as reasonable to encrypt as anything else. Persistent isn't that
special. (That would be my subtitle for SAML 2.0.)

-- Scott