security-services message

Subject: Re: [security-services] Fwd: [OAUTH-WG] I-D Action:draft-ietf-oauth-saml2-bearer-05.txt

From: "Cantor, Scott E." <cantor.2@osu.edu>
To: Phillip Hunt <phil.hunt@oracle.com>, SAML<security-services@lists.oasis-open.org>
Date: Thu, 4 Aug 2011 16:45:57 +0000

On 8/4/11 11:36 AM, "Phillip Hunt" <phil.hunt@oracle.com> wrote:
>
>Lastly the processing rules on the assertion have been relaxed
>somewhat to allow for <SubjectConfirmationData> element(s) to be
>optional when the <Conditions> element has a NotOnOrAfter attribute.

Omitting subject confirmation just means the assertion has no security
semantics or that it's "sender vouches". You could do bearer by
implication, but that's sloppy. Assertions should be self-defining
whenever possible, not punt their semantics to implication.

-- Scott

Follow-Ups:
- Re: [security-services] Fwd: [OAUTH-WG] I-D Action: draft-ietf-oauth-saml2-bearer-05.txt
  - From: Brian Campbell <bcampbell@pingidentity.com>

References:
- Fwd: [OAUTH-WG] I-D Action: draft-ietf-oauth-saml2-bearer-05.txt
  - From: Phillip Hunt <phil.hunt@oracle.com>