[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SSO Profile confusion
Thomas Wisniewski wrote: > Can you clarify the following bullets in Profiles: 576, 578, and 580, > and 584 -- which seem to contradict the above statement. They imply that > one MUST verify various pieces against *any* bearer conf method (even if > there is one that satisfied all requirements already)? As Brian said, I don't think it makes sense to check all of them based on the rules that always made confirmation "any one of". Plus if you did check them all, they'd all have the same values and it would just be silly to have them, right? I think it's just a matter of changing "any" to "the" or perhaps "a". We need some language to explain the concept here, I guess, that you're looking for a bearer method that contains all the required attributes (Recipient and NotOnOrAfter) and also passes the checking. But what to do with multiple assertions is still too vague, not to mention multiple authn statements. Nobody but me seemed to be all that bothered by it at the time, so I concluded that having implemented it before in 1.1, that I was the only one confused by that. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]