Association Response contradiction?

Johnny Bufu johnny at sxip.com
Mon Sep 11 21:08:52 UTC 2006


Is this list better suited to send this kind of questions? I'm  
resending the message here as I haven't got any responses on the  
general list:


I believe there's a contradiction in the specs, see below:

------------------------
7.4.3.  Unencrypted Association Sessions

An IdP MAY respond to an association request with a "no-encryption"  
association session response regardless of the type of association  
session requested. For better security, a Relying Party MAY choose  
not to use the resulting association on subsequent authentication  
requests.

7.4.4.  Diffie-Hellman Association Sessions

If the IdP does not support Diffie-Hellman, it MUST ignore the Diffie- 
Hellman fields in the request and reply with a no-encryption  
association session response.

7.4.5.  Unsuccessful Response Parameters

If the IdP does not support an association session type or  
association type, it MUST respond with a message indicating that the  
association session failed. If there is another association session  
type or association type that is supported, the IdP MAY include that  
information in the response.
------------------------

In case the RP requests a session / association combination not  
supported by the IdP, the IdP should:
- according to 7.4.3 and 7.4.4: return a positive "no-encryption"  
association response
- according to 7.4.5: return a association failure response

I don't see a way how it can comply with both requirements. Am I  
missing something?



Thanks,
Johnny




More information about the specs mailing list