On Thu, Aug 19, 2010 at 1:41 PM, Thomas Hardjono <hardj...@mit.edu> wrote: > Apologies for the late comments (below).
And apologies for my late reply. > > What about the two bullets on AuthnStatement? > > > > o If the assertion issuer authenticated the subject, the assertion > > SHOULD contain a single <AuthnStatement> representing that > > authentication event. > > > > o If the assertion was issued with the intention that the client > > act > > autonomously on behalf of the subject, an <AuthnStatement> SHOULD > > NOT be included. > > My first reaction on seeing the first bullet is that > the assertion MUST (instead of SHOULD) contain > a single <AuthnStatement> representing that authentication event. > Not sure if this is too strong. I'm not sure either, to be honest. I was on the fence between MUST/SHOULD and MUST NOT/SHOULD NOT in those two bullets respectively. Perhaps you are right and the stronger language is warranted. > Secondly, is it implicit in Oauth-v2-10 that the > Authorization Server is able to process > XML signatures (xmldsig). I'm presuming that if > the Authorization Server can deal with SAML assertions, > then it can handle digital signatures. Yeah, not all authz servers will support this, of course, but those that do will need to be able to do XML signatures. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth