OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Proposed clean up on subject text

> My $.02 is that zero confirmations means that the entity presenting the
> assertion doesn't have to do anything special in order to present the
> assertion.  To me that means it is a bearer token... but I probably
> could be convinced otherwise.

This has always been underspecified, between "bearer", "sender-vouches", and
"nothing". Of course, bearer (and sender-vouches) now have more capability
with the restrictive attributes I introduced, so it's no longer entirely
equivalent to nothing, but in 1.1, we arguably had 3 different syntaxes that
meant something similar.

As I heard people discuss it, the closest thing to consensus I ever heard
was that bearer was distinct, and nothing/sender-vouches seemed relatively
alike ("derived from application context", essentially).

When we do attribute queries in Shibboleth, we don't use SubjectConfirmation
(yet), and I don't think we anticipated that the SP could ever take that
assertion and use it to impersonate the user.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]