[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-bindings] "Audience" overloaded
Just a quick note for further discussion today I hope. I think this may have been discussed before but it seems like a problem to me and other Shib folks. The use described for AudienceRestrictionCondition in core-20 is what I would call policy labelling. "This assertion has been generated in conformance with agreement foo, and is only to be used in accordance etc." In Shib we would use this to label it with Shib conditions, which are relatively precise (privacy management, form of subject name, etc). The use described for Audience (presumably the same element) in the browser profile is "this assertion is intended only for this destination system", to prevent malicious forwarding. This seems to me to be a fundamentally different use. In Shib we would be obliged to do both simultaneously. The relying party would be obliged to determine from the value of the URI whether it meant "this destination" or "this policy". We could live with this but it seems suboptimal and confusing to me. I suggest that these two concepts be represented by two different elements. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC