[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Proposed clean up on subject text
> My $.02 is that zero confirmations means that the entity presenting the > assertion doesn't have to do anything special in order to present the > assertion. To me that means it is a bearer token... but I probably > could be convinced otherwise. This has always been underspecified, between "bearer", "sender-vouches", and "nothing". Of course, bearer (and sender-vouches) now have more capability with the restrictive attributes I introduced, so it's no longer entirely equivalent to nothing, but in 1.1, we arguably had 3 different syntaxes that meant something similar. As I heard people discuss it, the closest thing to consensus I ever heard was that bearer was distinct, and nothing/sender-vouches seemed relatively alike ("derived from application context", essentially). When we do attribute queries in Shibboleth, we don't use SubjectConfirmation (yet), and I don't think we anticipated that the SP could ever take that assertion and use it to impersonate the user. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]