RE: [security-services] Authentication Response IssuerName vs. As sertion IssuerName

["Scott Cantor" <cantor.2@osu.edu>]

> I am concerned about making this a must.  While I think there 

I think it has to be a MUST if you're encrypting, or there's no way to know
who's sent you the assertion. We could add some kind of xenc extension to
carry something about that, but we didn't do that.

> Note that I am *NOT* saying that it should not be carried, 
> just that we shouldn't make unnecessary information mandatory.  

Well, that's my compromise position. In at least one case, it seems pretty
necessary to me.

> The current wording "issuer MAY be omitted" is essentially an 
>  "issuer SHOULD be present" (perhaps not exactly, but I 
> wouldn't object to saying it SHOULD be there, especially if 
> it was somehow caveated with "when the response is signed" or 
> something like that).

The MAY right now is in the profile, which of course knows that signing it
is optional. So we could change that to a SHOULD if signing, but the main
thing is to make it a MUST if encrypting.

-- Scott