RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07

["Scott Cantor" <cantor.2@osu.edu>]

> Well, the other alternative is to return an error, right?

For the IdP? Sure. That's the point. You just have prior knowledge about
what might happen, so you can save it the trouble. If signing is a
"whatever" sort of operation to the IdP, the logical thing to do is to sign
if the flag is true, and do whatever the default is if it's not. If it's a
major operation that the IdP doesn't normally like to do, then you'd
probably consider returning an error.

> > I don't understand what's so vague about that.
> 
> If there were a WantAssertionsSigned attribute in AuthnRequest, would
> you be inclined to interpret it differently?

If it was written as a MUST (in which case that would be a bad name to use),
I'd follow it, otherwise I'd do whatever I'm doing now.

-- Scott