-
assigned issue to
- changed status to open
Messages, Standard security considerations use of "the assertion" language
Issue #298
resolved
The Security Considerations sections contain a lot of language like "To mitigate this threat, the assertion...". The "assertion" language should be made more specific by using the terms ID Token, Access Token, or both.
Comments (4)
-
-
Message is done with Wiki macro error: Changeset 98b64ebdac66 not found.
-
Re
#298Message - Removed remaining user of assertion. -
- changed status to resolved
- Log in to comment
Actually, it could be also UserInfo response.
Assertion in SP800-63 is pretty much the "(IdP asserted) set of claims". We had this definition before, but was removed from the subsequent drafts because it is only used in Security Consideration to map to SP800-63.
In Basic, we have this sentence at the beginning of the security consideration.
BTW, the link of SP800-63 got changed, so we need to fix it: New location: http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1-Draft3_June2011.pdf
It is still a draft and the URL is not stable. Perhaps we should incorporate them in this spec.
I will take a crack at the text.