1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Messages, Standard security considerations use of "the assertion" language

Issue #298 resolved
Michael Jones created an issue

The Security Considerations sections contain a lot of language like "To mitigate this threat, the assertion...". The "assertion" language should be made more specific by using the terms ID Token, Access Token, or both.

Comments (4)

  1. Nat Sakimura

    Actually, it could be also UserInfo response.

    Assertion in SP800-63 is pretty much the "(IdP asserted) set of claims". We had this definition before, but was removed from the subsequent drafts because it is only used in Security Consideration to map to SP800-63.

    In Basic, we have this sentence at the beginning of the security consideration. 

    An assertion is the result of the authentication performed by the Authorization Server that was provided to the Client. The assertion is used to pass information about the End-User or the authentication process from the Authorization Server to the Client.

    BTW, the link of SP800-63 got changed, so we need to fix it: New location: http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1-Draft3_June2011.pdf

    It is still a draft and the URL is not stable. Perhaps we should incorporate them in this spec.

    I will take a crack at the text.

  5. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!