RE: [imi] Token profile issue with AppliesTo and AudienceRestriction

["Scott Cantor" <cantor.2@osu.edu>]

Mike Jones wrote on 2009-12-15:
> As part of the review of the draft SAML 1.1 token profile, Arun Nanda
> commented:  "This is overkill IMO. If an IdP is an open IdP that issues
> 'unscoped' tokens for consumption by any RP, it should not be forced to
> encode an audience in the issued token just because the request included
it.
> So, may be SHOULD is preferred here."

I disagree. If the request from the user's client includes that field, it's
precisely to *guarantee* that the IdP doesn't risk the user's identity in
this fashion.
 
-- Scott