OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Proposed clean up on subject text

> > What about the case of, say, an Attribute query over SOAP?  An
> > Authority will respond with an assertion saying that "the entity
> > identifier X has the following associated attributes".
> >
> > I don't imagine that subject confirmation would be included, because
> > referenced entity isn't part of the exchange.  So, the default
> > interpretation of that assertion should definitely not be "bearer".
> Right, that's my use case today.
> > I'd like to see text in core, section 2.4.1 "Element <Subject>",
> > that the absence of any SubjectConfirmation elements MUST be
> > as having no correlation to any presenter of the assertion.  Leaving
> > up in the air seems very dangerous to me.
> I'm happy saying it's just "unspecified", as Ron said...the authority
> making no statement about subject confirmation whatsoever.
> -- Scott

So, you don't see any danger in a malicious party presenting such an
assertion to another relying party that interpreted the spec's
unspecificity is this area (which I don't see actually stated anywhere)
differently -- as "bearer", for instance?  This is my motivation for the
MUST clarification.

Steve Anderson

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]