OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] underspecified behavior for AuthenticationQuery ?


Emily,

You have brought up an important point which at first sight
I would have to say is an inconsistency in the binding-11 
specification. As we have discussed previously, the general
philosophy is that an authority should not discuss with a
client *WHY* it is unable to return assertions (other than
some sort of non-normative status message helpful for debugging).
The concern here is that we do not want to provide means for
an attack on the authority.
>>> 
>>
>>But in binding-11 spec, line 519-521, it says 
>>
>>"The source site MUST return an error code if it receives a 
>><samlp:Request> 
>>message from an authenticated destination site X containing 
>>an artifact issued 
>>by the source site to some other destination site Y, where X <> Y."
>>
>>I feel we should treat a Request with AssertionID the same as 
>>a Request with 
>>Artifact if that AssertionID is associated with an Assertion 
>>that is issued for 
>>a specific site only. Can we safely say X <> Y is a real 
>>error therefore an 
>>error code should be returned instead of Success?
>>

What do you think of weakening lines 519-521 to be:

The source site MUST not return an assertion if it receives
a <samlp:Request> message from an authenticated destination 
site X containing an artifact issued by the source site issued
to some other destination site Y, where X <> Y.

This is more consistent with our "return no assertion" policy.

- prateek


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC