>>>>> "Josh" == Josh Howlett <[email protected]> writes:
>>
Josh> I agree that is an option; and it wouldn't be the end of the
Josh> world if that's where we end up. But I believe it would impede
Josh> interoperable deployments because it defers this discussion to
Josh> implementers and users who won't, on the whole, care about or
Josh> understand the issues. I would prefer to have a simple
Josh> interoperable solution that works for 99% of the users than a
Josh> less constrained but accordingly more complex solution that
Josh> satisfies the remaining 1%.
>>
>> IDP MAY sign + RP MAY ignore + RP MUSt verify doesn't meet the
>> IETf's interoperability criteria because an IDP that does not
>> support signatures cannot work with an RP that requires them.
Josh> I agree. I thought Stephen's suggestion was IdP MAY sign + RP
Josh> MAY verify. This at least gets you interoperability, in the
Josh> absence of a common TA, if the RP chooses not to verify the
Josh> signature (if any).
>From a purely process point of view IDP MAY sign and RP MAY verify
doesn't interop.
MAY means just that; the RP is permitted to verify. I.E. I can ship an
RP that always verifies.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
