[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SSO Profile confusion
Brian, Scott, correct. Thanks for the clarifications.
Tom.
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Thursday, July 28, 2005 2:35 PM
> To: Thomas Wisniewski
> Cc: Brian Campbell; SAML
> Subject: Re: [security-services] SSO Profile confusion
>
>
> Thomas Wisniewski wrote:
> > Can you clarify the following bullets in Profiles: 576,
> 578, and 580,
> > and 584 -- which seem to contradict the above statement.
> They imply that
> > one MUST verify various pieces against *any* bearer conf
> method (even if
> > there is one that satisfied all requirements already)?
>
> As Brian said, I don't think it makes sense to check all of
> them based
> on the rules that always made confirmation "any one of".
>
> Plus if you did check them all, they'd all have the same
> values and it
> would just be silly to have them, right?
>
> I think it's just a matter of changing "any" to "the" or
> perhaps "a". We
> need some language to explain the concept here, I guess, that you're
> looking for a bearer method that contains all the required attributes
> (Recipient and NotOnOrAfter) and also passes the checking.
>
> But what to do with multiple assertions is still too vague, not to
> mention multiple authn statements. Nobody but me seemed to be
> all that
> bothered by it at the time, so I concluded that having implemented it
> before in 1.1, that I was the only one confused by that.
>
> -- Scott
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]