[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Authentication Response IssuerName vs. As sertion IssuerName
Conor, what do you do in the case where the Response is not signed but someone is sending you an EncryptedAssertion?
How do you know who the issuer is (particularly if it's an unsolicited Response)?
Tom.
-----Original Message-----
From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: Friday, June 10, 2005 8:25 AM
To: Scott Cantor
Cc: 'Thomas Wisniewski'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Authentication Response IssuerName vs. As sertion IssuerName
Scott Cantor wrote on 6/9/2005, 8:49 PM:
> > I am concerned about making this a must. While I think there > > I think it has to be a MUST if you're encrypting, or there's no way to > know > who's sent you the assertion. We could add some kind of xenc extension to > carry something about that, but we didn't do that.
I think it probably should also be a MUST if your signing the response.
My main concern is for when the response isn't signed.
Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]