I had a quick look at the -03 draft and I'm confused. Are "ignore signatures is the MUST implement" and "MUST NOT sign" the only real options?
For example, I don't get why "IdP MAY sign + RP is NOT REQUIRED to verify signature + RP MUST implement signature verification" is not an option. (Assuming you add text that justifies why hop-by-hop integrity is ok.) Note: I'm not saying that the above is what you ought do, I'm saying I don't get why its not possible. S. On 10/02/2012 04:47 PM, Sam Hartman wrote: > OK, I'm with Josh. This is going to be one of those cases where digging > in heals now and saying MUST NOT sign will save us political grief > later. A lot of people like Stephen are going to look at ignore > signatures and complain, where as they would be more willing to accept > that we're simply not using per-message signatures at all. It's > unfortunate because I do think there ar situations where signatures are > valuable. However, I'm imagining that we're going to be having this > argument again and again and again and it just won't be worth the cost. > > _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
