OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [imi] Token profile issue with AppliesTo and AudienceRestriction

I think the issue here is one of risk management. Clearly an issuer can 
issue any token it likes, and an RP/SP can reject any token it does not 
trust. But there should be a way of communicating the RP's requirements 
to the issuer.

In this case if an RP is saying that it requests a token with an 
AppliesTo, one has to assume that this means the RP wont accept ie. risk 
trusting, a token that does not contain an AudienceRestriction. Thus the 
latter should be mandatory, if requested, since if the RP is not 
bothered either way, it need not ask for the appliesTo. Making the 
AudienceRestriction optional negates the purpose of the RP asking for it

regards

David



Mike Jones wrote:
> The SAML 2.0 token profile currently says:
> 
> If the request contains a <wsp:AppliesTo> element, then a 
> <saml:AudienceRestriction> containing a <saml:Audience> element MUST be 
> included with the value of that element.
> 
>  
> 
> As part of the review of the draft SAML 1.1 token profile, Arun Nanda 
> commented:  “This is overkill IMO. If an IdP is an open IdP that issues 
> ‘unscoped’ tokens for consumption by any RP, it should not be forced to 
> encode an audience in the issued token just because the request included 
> it. So, may be SHOULD is preferred here…”
> 
>  
> 
> I tend to agree with Arun.  I think we should make this change.  That’s 
> the language I’m using in the 1.1 profile.  After discussion, I’ll file 
> an issue about this too.
> 
>  
> 
>                                                                 -- Mike
> 
>  
> 

-

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]