So, Josh, I'd like to confirm that one consequence of what you're saying is that it would be entirely fine for an implementation to use NAIs including the actual username and for the IDP to only accept the NAI if the email address was correct?
I.E. if we don't mind shooting privacy in the head, we have an easy solution already supported by the protocols involved. I'm not recommending that approach, just trying to understand it. _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
