Just a note (to myself as much as anything) that that same text is also in §6.2, §6.3 & §6.4 and should updated for all occurrences.
On Fri, Apr 13, 2012 at 12:55 PM, Zeltsan, Zachary (Zachary) < zachary.zelt...@alcatel-lucent.com> wrote: > Chuck,**** > > ** ** > > The intent is clear. Perhaps the following change would clarify the text:* > *** > > Old: The Authorization Server MUST validate the assertion in order > to establish a mapping between the Issuer and the secret used to generate > the assertion.**** > > New: The Authorization Server MUST validate the assertion’s signature in > order to verify the Issuer of the assertion.**** > > ** ** > > Zachary**** > > ** ** > > ** ** > > *From:* Chuck Mortimore [mailto:cmortim...@salesforce.com] > *Sent:* Friday, April 13, 2012 1:20 PM > *To:* Zeltsan, Zachary (Zachary); Tschofenig, Hannes (NSN - FI/Espoo); > oauth@ietf.org > *Subject:* Re: [OAUTH-WG] WGLC on Assertion Drafts**** > > ** ** > > Hi Zachary – sorry about the delay in responding. > > Perhaps the language is a bit confusing – let me explain the intent and > see if it makes sense and if you have a recommendation on how it could be > made clearer. > > All this is really saying is that the Authorization server must validate > the signature to make sure the Issuer is who they say they are. The > authorization server would use the Issuer as it’s mechanism for looking up > either the shared secret for an HS256 or the public key for RS256. It > then checks the signature, and proves to itself that the generator of the > assertion had possession of the expected keying material and identified > itself as the issuer. > > Feedback welcome > > -cmort > > On 4/5/12 1:33 PM, "Zeltsan, Zachary (Zachary)" < > zachary.zelt...@alcatel-lucent.com> wrote:**** > > Hello, > > The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01, > section 6.1 has the following requirement: > > The Authorization Server MUST validate the assertion in order to > establish a mapping between the Issuer and the secret used to > generate the assertion. > > I thought that checking a signature is a part of the assertion validation, > which cannot be done without knowing the mapping between the issuer and the > secret used to generate the assertion. > It appears that the quoted text requires validation of the assertion prior > to checking the signature. > What am I missing? > > Zachary > > > *From:* oauth-boun...@ietf.org > [mailto:oauth-boun...@ietf.org<oauth-boun...@ietf.org>] > *On Behalf Of *Tschofenig, Hannes (NSN - FI/Espoo) > *Sent:* Thursday, April 05, 2012 10:47 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] WGLC on Assertion Drafts > > Hi all, > > this is a Last Call for comments on these three documents: > > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10 > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 > > http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02 > > Please have your comments in no later than April 23rd. > > Do remember to send a note in if you have read the document and have no > other comments other than "it’s ready to go" - we need those as much as we > need "I found a problem". > > Thanks! > > Hannes & Derek**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth