[R-DoS] Ensure that assertions (and later protocols, bindings) do not
unnecessarily offer DoS opportunities & if they have to, then this to
be called-out in the specification.
Basic thing to be aware of is where a URI is received and de-referenced.
Soon as you do that, you might be in trouble. Countermeasures built
around de-referencing after peer entity or message authentication (and
The question is do we want:
[R-ReAuth] Ability for server to signal that re-authenticaiton is
required where you'd normally expect an authorization decision.
I didn't phrase that too well, but I guess folks'll recognize the
Philip Hallam-Baker wrote:
Try the second:
This time as an attachment.
781 245 6996 x227