OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Correction to my diatribe about assertion Subjects on last call

> > So, the old profile DOES requires that every assertion returned refers
> > the same principal. Obviously the HoK profile should do the same, and I
> > would suggest that it explicitly copy that text if it didn't already.
> Makes sense.

More sense than anything I was arguing for sure.

> All of that seems quite reasonable.  Things seem to get complicated,
> however, when the request has an explicit <Subject> element.

I generally thought of that as a simplifying factor, certainly with regard
to the NameID anyway, but I understand the confirmation half is squishy.

> What happens, for example, if the request contains a holder-of-key
> <SubjectConfirmation> element in ordinary Web Browser SSO or a bearer
> <SubjectConfirmation> element in HoK Web Browser SSO?  In the latter
> case, that seems to say that both bearer and holder-of-key
> <SubjectConfirmation> elements MUST be included.

Well, with regard to the former, it's not allowed. I had forgotten that, but
it was in the original text, we ruled out requesting confirmation as a

In the latter case, well, you *could* just say the same thing, or if you
still want to permit it, if you did ask for bearer, then, yes, you'd get

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]