RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-10

["Scott Cantor" <cantor.2@osu.edu>]

> How about this (intentionally verbose) text:

I suppose on the face of it, it reads ok to me. I don't know whether there
are other request elements that would fall under the domain of worrying
about whether the message was signed or not, and I think the original text
was left brief to avoid considering that question.

> > Or arguably you can satisfy the intent by saying "I trust anybody",
> > presumably by also including a user consent piece that makes it the
user's
> > choice.
> 
> Well, I wouldn't go so far in the HoK Web Browser SSO Profile since
> that seems to go against the intent or at least the spirit of the
> profile.

I'm not sure why there's a difference. I don't see this profile as doing
anything other than attempting to leverage SSL to provide a stronger
delivery binding. The SAML aspects seem fairly common to me.

> If the choice is arbitrary, then I see no point of allowing multiple
> elements to begin with.  Unless there is a possible use case, no
> matter how far fetched, I suggest we restrict ourselves to one and
> only one AuthnStatement.

I think the primary issue is that if you include multiple assertions that
relate to other profiles, some of them are likely to have authentication
statements (in most cases identical ones). I don't think you can have a rule
that says only one statement can appear across all of them.

-- Scott