OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName

Title: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName

Scott, I did mean Issuer.

Yes, then there's an errata. Line 541 in profiles. Basically says issuer (for an AuthnRequest Response) MAY be omitted. I believe this is the only spot in profiles.

Jahan, can you add an errata item to change line 541 to

"the <Issuer> element MUST be present and MUST contain the unique identifieir of the"

The main reason is that Issuer should should be a MUST in the SSO Response protocol.

Tom.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, June 09, 2005 10:50 AM
To: 'Thomas Wisniewski'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName


> Hi, I noticed that the IssuerName is not a MUST for a Response.

Issuer, you mean? No, it's optional because I guess people aren't as convinced as I am that it's madness not to do this uniformly. One of SAML 1.x's biggest weaknesses IMHO was lack of Issuer in the protocol layer. It screwed us up repeatedly. It also caused Liberty to sprinkle ProviderID elements all over the place.

> However, for an unsolicited Response, this makes handling
> EncryptedAssertion elements whose decryption certs are
> exchanged via metadata (and not in the Response) more
> difficult or impossible. I.e., if KeyName/X509SerialNumber is
> not part of the EncryptedAssertion, how would you know which
> descryption key to use?

It screws up signing too, since you have to derive the responder from the certificate and that's just not the easiest direction to go in, IMHO.

> Am  I missing something here? Should IssuerName be required
> in the Response to avoid these types of issues?

I think the party line is that I was able to require use of Issuer in all the profiles I wrote, so the fact that it's technically optional in core doesn't matter that much. If somebody finds a good use for not including an Issuer, so be it. If I missed a spot in profiles, that's an errata.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]