[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] empty <ds:X509Certificate/> element?
> So maybe I'm misunderstanding the semantics of SubjectConfirmation in > a SAML request. I take it to mean the requester would like to have an > assertion containing such a SubjectConfirmation,not that the IdP > should so confirm the presenter. Which is correct? No, you're right. That doesn't mean that sending an empty element like that means anything. The signature spec doesn't give you any guidance on what that would mean, and like a lot of schemas, I interpret empty to mean "we didn't notice or care enough that base64Binary doesn't require minLength > 0". SAML did the same thing, but there's prose somewhere about empty strings not being legal. Like I said on a call recently, if it had been thought through, I suspect I'd have added text to the AuthnRequest section making it legal to ask for a confirmation method but without data, regardless of what the method definition says, but we didn't do that, so as it currently stands, to ask for HoK, you MUST include a KeyInfo, and I don't think KeyInfo itself lets you get away without including *something*. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]