OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Correction to my diatribe about assertion Subjects on last call


What happens, for example, if the request contains a holder-of-key

<SubjectConfirmation> element in ordinary Web Browser SSO or a bearer

<SubjectConfirmation> element in HoK Web Browser SSO?  In the latter

case, that seems to say that both bearer and holder-of-key

<SubjectConfirmation> elements MUST be included.


In the latter case, well, you *could* just say the same thing, or if you

still want to permit it, if you did ask for bearer, then, yes, you'd get

both.


I think returning an assertion with both <SubjectConfirmation> methods is the best choice when the request issuer explicitly asks for bearer confirmation and the IdP is comfortable issuing such an assertion.  There's enough explicit explanatory text in the profile that I think implementors and deployers would be aware of the consequences.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]