> > Josh> I agree that is an option; and it wouldn't be the end of the > Josh> world if that's where we end up. But I believe it would impede > Josh> interoperable deployments because it defers this discussion to > Josh> implementers and users who won't, on the whole, care about or > Josh> understand the issues. I would prefer to have a simple > Josh> interoperable solution that works for 99% of the users than a > Josh> less constrained but accordingly more complex solution that > Josh> satisfies the remaining 1%. > >IDP MAY sign + RP MAY ignore + RP MUSt verify doesn't meet the IETf's >interoperability criteria because an IDP that does not support >signatures cannot work with an RP that requires them.
I agree. I thought Stephen's suggestion was IdP MAY sign + RP MAY verify. This at least gets you interoperability, in the absence of a common TA, if the RP chooses not to verify the signature (if any). >So, I would not support a MTI strategy that depended on shared trust >anchors. Agreed. Josh. Janet is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
