Hi Chad concerning passing attribute assertions between entities Chad La Joie wrote:
For those that aren't subscribed to one of the many lists on which this issue has been brought up, let me outline the basics. These assertions carry potentially sensitive information about a user.
correct, so in this case they should be encrypted for the SP which is the ultimate destination of the assertion. Most attribute
authorities contain the ability to control the release of this information on a per-party basis (i.e. A can see/request the sensitive information but B may not). A service which passed the information it received onto another service circumvents the attribute authority and its policies.
This is not always so. For example, B may request the attribute assertion from the AA in order to forward it to A (the SP). In this case the AA will return the assertion to B, encrypted for A to read. B is given the assertion to pass onto A, but B cannot read it, so there is no circumvention of the AA's policy in this case. regards David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************