Cross-posting feedback from Scott Cantor regarding change to subject confirmation processing.
Comments? Phil @independentid www.independentid.com phil.h...@oracle.com Begin forwarded message: > From: "Cantor, Scott E." <canto...@osu.edu> > Date: August 4, 2011 9:45:57 AM PDT > To: Phillip Hunt <phil.h...@oracle.com>, SAML > <security-servi...@lists.oasis-open.org> > Subject: Re: [security-services] Fwd: [OAUTH-WG] I-D Action: > draft-ietf-oauth-saml2-bearer-05.txt > > On 8/4/11 11:36 AM, "Phillip Hunt" <phil.h...@oracle.com> wrote: >> >> Lastly the processing rules on the assertion have been relaxed >> somewhat to allow for <SubjectConfirmationData> element(s) to be >> optional when the <Conditions> element has a NotOnOrAfter attribute. > > Omitting subject confirmation just means the assertion has no security > semantics or that it's "sender vouches". You could do bearer by > implication, but that's sloppy. Assertions should be self-defining > whenever possible, not punt their semantics to implication. > > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
