[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comments re sstc-saml-holder-of-key-browser-sso-draft-10
There are a couple of requirements in draft-10 of the HoK Web Browser SSO Profile [1] that require further discussion. First, the HoK Web Browser SSO Profile specifies (lines 384--385) that the <samlp:AuthnRequest> element MAY be signed, yet Core specifies (lines 2012--2013) that the <samlp:AuthnRequest> element SHOULD be signed. The HoK Web Browser SSO Profile goes on to give the following requirement (lines 392--393): "If the <samlp:AuthnRequest> is not authenticated and integrity protected, the information in it MUST NOT be trusted except as advisory." Sorry, I do not understand the above requirement. To make matters worse, the HoK Web Browser SSO Profile specifically recommends against signing in the section on Security and Privacy Considerations (lines 522--523). How do we reconcile this apparent discrepancy with regard to request signing? What are the proper requirements with respect to signing the AuthnRequest? Second, I know we've discussed this before, but I think a <samlp:Response> element issued under HoK Web Browser SSO should contain one and only one <saml:AuthnStatement> element. I can't imagine why you'd want more than one, and even if multiple <saml:AuthnStatement> elements were allowed, I would think you'd want them to be identical. I know the language in the HoK Web Browser SSO Profile is intentionally similar to that in the ordinary Web Browser SSO Profile, but is there really a use case for multiple <saml:AuthnStatement> elements? Tom [1] http://www.oasis-open.org/committees/download.php/30309/sstc-saml-holder-of-key-browser-sso-draft-10.odt
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]