Hi Prateek, I never had planned to make the term audience to align with the SAML specification. However, in case this could lead to confusion we could also define a different term.
Btw, did you look at the JWT spec whether the audience term there is inline with the SAML spec? Ciao Hannes On Mar 14, 2013, at 11:34 AM, prateek mishra wrote: > Hi Hannes, > > I wanted to point out that use of the term "audience" in this document is not > consistent with the SAML 2.0 specification. > > > What you are referring to here as "audience" corresponds to > <saml:destination> which is described as > > [quote-saml2.0] > Destination [Optional] > A URI reference indicating the address to which this request has been sent. > This is useful to prevent > malicious forwarding of requests to unintended recipients, a protection that > is required by some > protocol bindings. If it is present, the actual recipient MUST check that the > URI reference identifies the > location at which the message was received. If it does not, the request MUST > be discarded. Some > protocol bindings may require the use of this attribute (see [SAMLBind]). > [\quote] > > In contrast, <saml:audience> is a means of limiting the liability of the > asserting party and is described > in the following manner - > > [quote-saml2.0] > <Audience> > A URI reference that identifies an intended audience. The URI reference MAY > identify a document > that describes the terms and conditions of audience membership. It MAY also > contain the unique > identifier URI from a SAML name identifier that describes a system entity > (see Section 8.3.6). > The audience restriction condition evaluates to Valid if and only if the SAML > relying party is a member of > one or more of the audiences specified. > > The SAML asserting party cannot prevent a party to whom the assertion is > disclosed from taking action on > the basis of the information provided. However, the <AudienceRestriction> > element allows the > SAML asserting party to state explicitly that no warranty is provided to such > a party in a machine- and > human-readable form. While there can be no guarantee that a court would > uphold such a warranty > exclusion in every circumstance, the probability of upholding the warranty > exclusion is considerably > improved. > [\quote] > > - prateek > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
