On Sat, Nov 2, 2013 at 2:07 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Security Consideration section: > > > I believe the section needs to say two things into addition to the reference > to the other specifications, which are already included in the security > consideration section: > > a) The specification does not mandate replay protection for the SAML > assertion usage for neither the authorization grant nor for the client > authentication. It is an optional feature.
Okay, I'll add some text about that. I think a word or two about it should go into Interoperability Considerations as well. > b) There is actually no authentication happening when these SAML assertions > are used for client authentication and for the authorization grant (in the > classical definition of authentication). This may be surprising to some why > typically assume that the client would have to demonstrate proof of > possession of a secret, which isn't the case here. I'm not sure I fully understand what you mean. Maybe it's some semantics around "authentication." Can you explain more or propose some text? > It would have been possible to provide more enhanced funtionality (and SAML > supports this as well) but it is not provided in the specification. Maybe a > future specification will provide that functionalility. I think it is worth > pointing out. Can you give some examples or propose some text? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth