[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Correction to my diatribe about assertion Subjects on last call
> > So, the old profile DOES requires that every assertion returned refers to > > the same principal. Obviously the HoK profile should do the same, and I > > would suggest that it explicitly copy that text if it didn't already. > > Makes sense. More sense than anything I was arguing for sure. > All of that seems quite reasonable. Things seem to get complicated, > however, when the request has an explicit <Subject> element. I generally thought of that as a simplifying factor, certainly with regard to the NameID anyway, but I understand the confirmation half is squishy. > What happens, for example, if the request contains a holder-of-key > <SubjectConfirmation> element in ordinary Web Browser SSO or a bearer > <SubjectConfirmation> element in HoK Web Browser SSO? In the latter > case, that seems to say that both bearer and holder-of-key > <SubjectConfirmation> elements MUST be included. Well, with regard to the former, it's not allowed. I had forgotten that, but it was in the original text, we ruled out requesting confirmation as a simplification. In the latter case, well, you *could* just say the same thing, or if you still want to permit it, if you did ask for bearer, then, yes, you'd get both. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]