[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName
I guess that's reasonable. Is there strong objection to making it mandatory in the SSO Response?
As an implementer, not having it there really stinks since you cannot handle the protocol layer the same way (or without digging down into the Assertion :-(
Tom.
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, June 09, 2005 3:35 PM
To: 'Thomas Wisniewski'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName
> Yes, then there's an errata. Line 541 in profiles. Basically
> says issuer (for an AuthnRequest Response) MAY be omitted. I
> believe this is the only spot in profiles.
>
> Jahan, can you add an errata item to change line 541 to
>
> "the <Issuer> element MUST be present and MUST contain the
> unique identifieir of the"
>
> The main reason is that Issuer should should be a MUST in the
> SSO Response protocol.
Ah, ok. So I think the point there was to allow people to assume Issuer based on the Assertion, thus your point about encryption...
A compromise might be to just say, if you encrypt the assertion, it's required, otherwise it MAY be omitted.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]