Chuck, The intent is clear. Perhaps the following change would clarify the text: Old: The Authorization Server MUST validate the assertion in order to establish a mapping between the Issuer and the secret used to generate the assertion. New: The Authorization Server MUST validate the assertion's signature in order to verify the Issuer of the assertion.
Zachary From: Chuck Mortimore [mailto:[email protected]] Sent: Friday, April 13, 2012 1:20 PM To: Zeltsan, Zachary (Zachary); Tschofenig, Hannes (NSN - FI/Espoo); [email protected] Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts Hi Zachary - sorry about the delay in responding. Perhaps the language is a bit confusing - let me explain the intent and see if it makes sense and if you have a recommendation on how it could be made clearer. All this is really saying is that the Authorization server must validate the signature to make sure the Issuer is who they say they are. The authorization server would use the Issuer as it's mechanism for looking up either the shared secret for an HS256 or the public key for RS256. It then checks the signature, and proves to itself that the generator of the assertion had possession of the expected keying material and identified itself as the issuer. Feedback welcome -cmort On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" <[email protected]> wrote: Hello, The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01, section 6.1 has the following requirement: The Authorization Server MUST validate the assertion in order to establish a mapping between the Issuer and the secret used to generate the assertion. I thought that checking a signature is a part of the assertion validation, which cannot be done without knowing the mapping between the issuer and the secret used to generate the assertion. It appears that the quoted text requires validation of the assertion prior to checking the signature. What am I missing? Zachary From: [email protected] [mailto:[email protected]] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo) Sent: Thursday, April 05, 2012 10:47 AM To: [email protected] Subject: [OAUTH-WG] WGLC on Assertion Drafts Hi all, this is a Last Call for comments on these three documents: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10 http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02 Please have your comments in no later than April 23rd. Do remember to send a note in if you have read the document and have no other comments other than "it's ready to go" - we need those as much as we need "I found a problem". Thanks! Hannes & Derek
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
