On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Item #7+8: T I think you should combine the two items since they relate to > the same issue, namely when to include the <AuthnStatement> element.
Okay, #7&8 can be rolled up into one item. > There > are two questions: > > Q1: Has the subject been authenticated? > > If 'no', then the <AuthnStatement> cannot be populated. > > If 'yes', then > Q2: Has the subject requested to be anonymous? > > If 'no', then the <AuthnStatement> element is populated > with the subject's identity. > > If 'yes', then the <AuthnStatement> MUST NOT be populated. > (or populated with a field that indicates that the subject > is anonymous; I don't know SAML enough to tell what the > right approach here is). #8 is about the client acting *autonomously* on behalf of the subject. Not *anonymously*. Autonomous was a term used in earlier drafts of RFC 6749 (maybe circa -10 of draft-ietf-oauth-v2) when talking about a client who was acting on its own without the user being present. > Then you write: > " > The presenter SHOULD > be identified in the <NameID> or similar element in the > <SubjectConfirmation> element, or by other available means like > SAML V2.0 Condition for Delegation Restriction > [OASIS.saml-deleg-cs]. > " > > Who is the presenter? Is the presenter the subject? The presenter is the thing that shows up with and presents the assertion to the AS. It's a term used in the SAML specs. In this case the presenter is the client. Maybe it's better to just say client here and not use the term presenter? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
