Association Response contradiction?
johnny at sxip.com
Mon Sep 11 21:08:52 UTC 2006
Is this list better suited to send this kind of questions? I'm
resending the message here as I haven't got any responses on the
I believe there's a contradiction in the specs, see below:
7.4.3. Unencrypted Association Sessions
An IdP MAY respond to an association request with a "no-encryption"
association session response regardless of the type of association
session requested. For better security, a Relying Party MAY choose
not to use the resulting association on subsequent authentication
7.4.4. Diffie-Hellman Association Sessions
If the IdP does not support Diffie-Hellman, it MUST ignore the Diffie-
Hellman fields in the request and reply with a no-encryption
association session response.
7.4.5. Unsuccessful Response Parameters
If the IdP does not support an association session type or
association type, it MUST respond with a message indicating that the
association session failed. If there is another association session
type or association type that is supported, the IdP MAY include that
information in the response.
In case the RP requests a session / association combination not
supported by the IdP, the IdP should:
- according to 7.4.3 and 7.4.4: return a positive "no-encryption"
- according to 7.4.5: return a association failure response
I don't see a way how it can comply with both requirements. Am I
More information about the specs