OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

On a related but not identical note, as long as we're discussing the
potential for changes in this general area, we should probably clarify
whether the front-channel bindings of the other protocol profiles should
make use of the Response element's Recipient attribute or if we should even
keep it at all.

In most cases, those messages are signed, so we could do this, but ID-FF
protocols don't use such a feature and I'm not aware of any security
exposures due to that, since the response messages are just "acks" and the
request messages don't have a comparable sort of "binding" sanity check
value inside them anyway.

If anything, keeping it would probably argue for adding a comparable
attribute to the request type and using it there with the HTTP bindings.

Nothing to do with the Recipient attribute under discussion, but worth

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]