In the browser/artifact profile, we now say that ConfirmationData SHOULD NOT
be supplied. But in Browser/POST, we say nothing about ConfirmationData. I
looked back through the mail archive, but couldn't find a conclusive
statement. For consistency and completeness of the B&P spec, I think we
should provide a normative statement about it. I've assumed MUST NOT applies,
but then I haven't thought about it a lot. So is ConfirmationData a "MUST
NOT", "SHOULD NOT", "MAY", or something else?
RSA Security Inc.
The Most Trusted Name in e-Security