OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Authentication Response IssuerName vs. As sertion IssuerName

> I am concerned about making this a must.  While I think there 

I think it has to be a MUST if you're encrypting, or there's no way to know
who's sent you the assertion. We could add some kind of xenc extension to
carry something about that, but we didn't do that.

> Note that I am *NOT* saying that it should not be carried, 
> just that we shouldn't make unnecessary information mandatory.  

Well, that's my compromise position. In at least one case, it seems pretty
necessary to me.

> The current wording "issuer MAY be omitted" is essentially an 
>  "issuer SHOULD be present" (perhaps not exactly, but I 
> wouldn't object to saying it SHOULD be there, especially if 
> it was somehow caveated with "when the response is signed" or 
> something like that).

The MAY right now is in the profile, which of course knows that signing it
is optional. So we could change that to a SHOULD if signing, but the main
thing is to make it a MUST if encrypting.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]