private association fro unsolicited positive assertions
nara hideki
hdknr at ic-tact.co.jp
Fri Mar 26 05:04:58 UTC 2010
Hi experts,
I'm afraid that this question has been discussed ,but I can't found that.
"10. Responding to Authentication Requests" of Auth 2.0 Final says:
OPs SHOULD use private associations for signing unsolicited
positive assertions.
I'd like to know the reason why "SHOULD is used rather than "MAY".
Is there any security threat if we don't use private associations
Thanks in advance.
-----
hdknr.com
More information about the specs
mailing list