[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SubjectConfirmation errata
[Ron] > IMV, an entity satisfying the confirmation method has been authorized > by the > >> assertion issuer to use (the identity of) the subject of the assertion. >> >> IMV, if an additional identifier is present it indicates that the >> assertion issuer has authorized >> the attribution of this additional identifier to any entity that >> satisfies the confirmation method. >> >> As such, the presence of this additional identifier indicates that to >> the assertion issuer, the >> attesting entity is different (by this additional attribute) from the >> subject. >> >> is that not sufficient? >> [\Ron] Yes, it is sufficient. My message was a little digressive but I was actually trying to understand the following text from Scott: [Scott] "If the <SubjectConfirmation> element in an assertion subject contains an identifier that is distinct from the identifier in the enclosing subject, the issuer authorizes the attesting entity to wield the assertion on behalf of that subject. A relying party MAY apply additional constraints on the use of such an assertion at its discretion, based upon the identities of both the subject and the attesting entity. If an assertion is issued for use by an entity other than the subject, then that entity SHOULD be identified in the <SubjectConfirmation> element." [Scott] The phrase "distinct from the identifier in the enclosing subject" is the source of the problem. Do we really need it here? - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]