OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Authentication Response IssuerName vs. Assertion IssuerName

> Hi, I noticed that the IssuerName is not a MUST for a Response.

Issuer, you mean? No, it's optional because I guess people aren't as
convinced as I am that it's madness not to do this uniformly. One of SAML
1.x's biggest weaknesses IMHO was lack of Issuer in the protocol layer. It
screwed us up repeatedly. It also caused Liberty to sprinkle ProviderID
elements all over the place.

> However, for an unsolicited Response, this makes handling 
> EncryptedAssertion elements whose decryption certs are 
> exchanged via metadata (and not in the Response) more 
> difficult or impossible. I.e., if KeyName/X509SerialNumber is 
> not part of the EncryptedAssertion, how would you know which 
> descryption key to use?

It screws up signing too, since you have to derive the responder from the
certificate and that's just not the easiest direction to go in, IMHO.

> Am  I missing something here? Should IssuerName be required 
> in the Response to avoid these types of issues?

I think the party line is that I was able to require use of Issuer in all
the profiles I wrote, so the fact that it's technically optional in core
doesn't matter that much. If somebody finds a good use for not including an
Issuer, so be it. If I missed a spot in profiles, that's an errata.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]