[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Proposed erratum resolutions
On Apr 5, 2005, at 3:03 PM, Scott Cantor wrote: >> Anyway, that said, I'm fine with Scott's suggested language if there's >> value in only encrypting the NameID in the returned assertion (and not >> any attributes). > > Something to consider is that AuthnRequest is not only usable in the > case of > ane entity asking for an assertion for itself. The requester, subject, > and > relying party are all explicit actors. So the requester could in fact > be > asking for an assertion usable by somebody else (or somebodies). True. However, if the requester is the party we're trying to hide the data from, we shouldn't trust them to ask for the encryption... -Greg > > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]