Hi Brian, Apologies for the late comments (below). __________________________________________
> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Brian Campbell > Sent: Thursday, August 12, 2010 4:08 PM > To: Chuck Mortimore > Cc: oauth > Subject: Re: [OAUTH-WG] SAML profile comments/questions from the SAML > people > ..... > What about the two bullets on AuthnStatement? > > o If the assertion issuer authenticated the subject, the assertion > SHOULD contain a single <AuthnStatement> representing that > authentication event. > > o If the assertion was issued with the intention that the client > act > autonomously on behalf of the subject, an <AuthnStatement> SHOULD > NOT be included. My first reaction on seeing the first bullet is that the assertion MUST (instead of SHOULD) contain a single <AuthnStatement> representing that authentication event. Not sure if this is too strong. Secondly, is it implicit in Oauth-v2-10 that the Authorization Server is able to process XML signatures (xmldsig). I'm presuming that if the Authorization Server can deal with SAML assertions, then it can handle digital signatures. Thanks. /thomas/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
