RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07 - Scott Cantor - org.oasis-open.lists.security-services

14 messages in org.oasis-open.lists.security-servicesRE: [security-services] comments re s...

From	Sent On	Attachments
Tom Scavo	Oct 17, 2008 4:59 pm
Nate Klingenstein	Nov 2, 2008 8:14 pm
Tom Scavo	Nov 4, 2008 7:47 am
Scott Cantor	Nov 4, 2008 8:09 am
Scott Cantor	Nov 4, 2008 8:38 am
Tom Scavo	Nov 4, 2008 8:39 am
Tom Scavo	Nov 9, 2008 11:27 am
Nate Klingenstein	Nov 9, 2008 9:13 pm
Tom Scavo	Nov 10, 2008 5:38 am
Mary McRae	Nov 10, 2008 5:53 am
Scott Cantor	Nov 10, 2008 7:32 am
Tom Scavo	Nov 10, 2008 10:53 am
Scott Cantor	Nov 10, 2008 11:48 am
Tom Scavo	Nov 10, 2008 12:02 pm

Subject:	RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07
From:	Scott Cantor (cant...@osu.edu)
Date:	Nov 4, 2008 8:38:56 am
List:	org.oasis-open.lists.security-services

Well, the other alternative is to return an error, right?

For the IdP? Sure. That's the point. You just have prior knowledge about what might happen, so you can save it the trouble. If signing is a "whatever" sort of operation to the IdP, the logical thing to do is to sign if the flag is true, and do whatever the default is if it's not. If it's a major operation that the IdP doesn't normally like to do, then you'd probably consider returning an error.

I don't understand what's so vague about that.

If there were a WantAssertionsSigned attribute in AuthnRequest, would you be inclined to interpret it differently?

If it was written as a MUST (in which case that would be a bad name to use), I'd follow it, otherwise I'd do whatever I'm doing now.

-- Scott

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets