[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Trust in artifact resolution
On 11 Feb 2010, at 21:33, Josh Howlett wrote: > Section 5.4.2 ("<ArtifactResponse> Usage") of SAML2Profiles states > that "The responder MUST authenticate itself to the requester and > ensure message integrity, either by signing the message or using a > binding-specific mechanism". > > I'm curious about the requirement to authenticate to the responder. Additionally, section 3.6.5.2 ("Security Considerations", HTTP Artifact Binding) of SAML2Bindings states that "...the callback request/response exchange that returns the actual message MAY be mutually authenticated and integrity protected, depending on the environment of use." How come the latter is a MAY while the former is a MUST? josh.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]