[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Proposed clean up on subject text
> My $.02 is that zero confirmations means that the entity presenting the
> assertion doesn't have to do anything special in order to present the
> assertion. To me that means it is a bearer token... but I probably
> could be convinced otherwise.
This has always been underspecified, between "bearer", "sender-vouches", and
"nothing". Of course, bearer (and sender-vouches) now have more capability
with the restrictive attributes I introduced, so it's no longer entirely
equivalent to nothing, but in 1.1, we arguably had 3 different syntaxes that
meant something similar.
As I heard people discuss it, the closest thing to consensus I ever heard
was that bearer was distinct, and nothing/sender-vouches seemed relatively
alike ("derived from application context", essentially).
When we do attribute queries in Shibboleth, we don't use SubjectConfirmation
(yet), and I don't think we anticipated that the SP could ever take that
assertion and use it to impersonate the user.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]