[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Authentication Response IssuerName vs. As sertion IssuerName
> I am concerned about making this a must. While I think there I think it has to be a MUST if you're encrypting, or there's no way to know who's sent you the assertion. We could add some kind of xenc extension to carry something about that, but we didn't do that. > Note that I am *NOT* saying that it should not be carried, > just that we shouldn't make unnecessary information mandatory. Well, that's my compromise position. In at least one case, it seems pretty necessary to me. > The current wording "issuer MAY be omitted" is essentially an > "issuer SHOULD be present" (perhaps not exactly, but I > wouldn't object to saying it SHOULD be there, especially if > it was somehow caveated with "when the response is signed" or > something like that). The MAY right now is in the profile, which of course knows that signing it is optional. So we could change that to a SHOULD if signing, but the main thing is to make it a MUST if encrypting. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]