Association Response contradiction?

Johnny Bufu johnny at
Mon Sep 11 21:08:52 UTC 2006

Is this list better suited to send this kind of questions? I'm  
resending the message here as I haven't got any responses on the  
general list:

I believe there's a contradiction in the specs, see below:

7.4.3.  Unencrypted Association Sessions

An IdP MAY respond to an association request with a "no-encryption"  
association session response regardless of the type of association  
session requested. For better security, a Relying Party MAY choose  
not to use the resulting association on subsequent authentication  

7.4.4.  Diffie-Hellman Association Sessions

If the IdP does not support Diffie-Hellman, it MUST ignore the Diffie- 
Hellman fields in the request and reply with a no-encryption  
association session response.

7.4.5.  Unsuccessful Response Parameters

If the IdP does not support an association session type or  
association type, it MUST respond with a message indicating that the  
association session failed. If there is another association session  
type or association type that is supported, the IdP MAY include that  
information in the response.

In case the RP requests a session / association combination not  
supported by the IdP, the IdP should:
- according to 7.4.3 and 7.4.4: return a positive "no-encryption"  
association response
- according to 7.4.5: return a association failure response

I don't see a way how it can comply with both requirements. Am I  
missing something?


More information about the specs mailing list