[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] NameIDPolicy Format use clarification
> [RSP] Yes, but section 8.3 is the section where all identifiers are > listed that "MAY be used in the Format attribute of the <NameID>, > <NameIDPolicy>, or <Issuer> elements". Since encrypted can be used in > <NameIDPolicy> I think it should be listed here for completeness, with > the caveat that it is only permitted in <NameIDPolicy>. I interpreted that sentence differently (as in, if it couldn't be used in all those places, it didn't belong in that section). My fear was that people *would* think you could use it any those elements even if the text said you couldn't. > [RSP] In Liberty ID-FF 1.2 it states that "of the formats defined in > this specification, only federated name identifiers sometimes require > encryption", so I have always presumed their use in that context. > However, it actually did permit pre-1.2 identifiers to be encrypted by > omitting the format or using "another unspecified value". That's because Liberty didn't support traditional SAML identifiers, which are just as reasonable to encrypt as anything else. Persistent isn't that special. (That would be my subtitle for SAML 2.0.) -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]