OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Trust in artifact resolution

On 11 Feb 2010, at 21:33, Josh Howlett wrote:
> Section 5.4.2 ("<ArtifactResponse> Usage") of SAML2Profiles states  
> that "The responder MUST authenticate itself to the requester and  
> ensure message integrity, either by signing the message or using a  
> binding-specific mechanism".
>
> I'm curious about the requirement to authenticate to the responder.

Additionally, section 3.6.5.2 ("Security Considerations", HTTP  
Artifact Binding) of SAML2Bindings states that "...the callback  
request/response exchange that returns the actual message MAY be  
mutually authenticated and integrity protected, depending on the  
environment of use."

How come the latter is a MAY while the former is a MUST?

josh.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]