[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-05
> - In lines 377--379, I'm concerned that the assertion "MAY be signed > if the HTTP Artifact binding is used," especially in light of the note > on lines 389--390. I believe a HoK assertion MUST be signed, > regardless of how it is obtained. In response to Nate, he's right. There is no such requirement. Signing is orthogonal to HoK, just like it's orthogonal to bearer. Signing might be important for other reasons, but in a point to point exchange, the signature can be replaced by any equivalent integrity and authentication mechanism to ensure it came as is from the IdP. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]