possible errata: use of AudienceRestriction in the AuthnRequest protocol

["Tom Scavo" <trscavo@gmail.com>]

Perhaps we can discuss this on tomorrow's call, and whether it should
be considered errata.  I agree with Scott that the wording in section
3.4.1.4 of Core seems a little strong.  Not sure if it makes sense to
reword at this point or not.

Thanks,
Tom Scavo
NCSA


---------- Forwarded message ----------
From: Scott Cantor <cantor.2@osu.edu>
Date: Sun, Jul 13, 2008 at 5:10 PM
Subject: Re: [saml-dev] clarification of AuthnRequest protocol
To: Tom Scavo <trscavo@gmail.com>
Cc: SAML Developers <saml-dev@lists.oasis-open.org>


Tom Scavo wrote:
>
> In section 3.4.1.4 of Core, it says "The resulting assertion(s) MUST
> contain a <saml:AudienceRestriction> element referencing the requester
> as an acceptable relying party."  What if the requester is in fact the
> requested subject, but beyond that the relying party is unspecified?
> What should the Audience value be in that case?

Well, I think the intent behind the text was to preclude issuing
assertions using that protocol that don't identify a relying party
unless there's some overriding signal to do so. As stated, the
protocol doesn't permit issuing unconstrained assertions. However,
that text is really kind of meant as a set of "default" behavior if
there's nothing in the request (or one could argue, a profile) to
dictate otherwise.

I think one could finesse around it easily enough by just spelling out
what you want in a profile. Worst case, you short circuit that text by
explicitly including an extension or something else that renders the
"In the absence of any specific content at all" clause moot.

But I wouldn't be against an errata there myself, it reads a bit
strongly to me. That text was kind of there as a placeholder to get
around the fact that the only concrete profile we had for the protocol
was Web SSO, and I didn't want core to be constrained by its rules.

-- Scott