Association Response contradiction?
Johnny Bufu
johnny at sxip.com
Fri Sep 8 22:48:57 UTC 2006
I believe there's a contradiction in the specs, see below:
------------------------
7.4.3. Unencrypted Association Sessions
An IdP MAY respond to an association request with a "no-encryption"
association session response regardless of the type of association
session requested. For better security, a Relying Party MAY choose
not to use the resulting association on subsequent authentication
requests.
7.4.4. Diffie-Hellman Association Sessions
If the IdP does not support Diffie-Hellman, it MUST ignore the Diffie-
Hellman fields in the request and reply with a no-encryption
association session response.
7.4.5. Unsuccessful Response Parameters
If the IdP does not support an association session type or
association type, it MUST respond with a message indicating that the
association session failed. If there is another association session
type or association type that is supported, the IdP MAY include that
information in the response.
------------------------
In case the RP requests a session / association combination not
supported by the IdP, the IdP should:
- according to 7.4.3 and 7.4.4: return a positive "no-encryption"
association response
- according to 7.4.5: return a association failure response
I don't see a way how it can comply with both requirements. Am I
missing something?
Johnny
More information about the general
mailing list