[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Proposed Ballots for Issue Groups 6, 7, 8, 9
>>>>> "EN" == Edwards, Nigel <Nigel_Edwards@hp.com> writes:
EN> I agree with the sentiments expressed
EN> [UC-8-05:AtomicAssertions]. I think SAML assertions should be
EN> atomic. I think managing valid signatures over assertion
EN> fragments is an unnecessary complexity.
EN> However, I think an intermediary might also in some cases
EN> legitimately remove an atomic assertion, provided no signature
EN> was invalidated by doing so. An example is pointed out in
EN> [UC-8-03:IntermediaryDelete]. In this case the intermediary
EN> does it to make a purchase order anonymous, once it has
EN> validated that purchase order. I would be happy to see a
EN> modified version of [UC-8-03:IntermediaryDelete] that dealt
EN> with atomic assertions.
So, there are a couple of options here. One is that the intermediary
simply drops the identifying authn assertion altogether (making any
authz decision assertions invalid, as far as I can tell). Or, it
replaces the authn assertion with one of its own.
Both make sense to me -- but it seems hard to state them as
requirements.
~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC