...
- Scott moves to take on this work as an FIWG work item. Hank seconds. With no further discussion or objections, the motion passes.
- John will circle with Joni to confirm how the FIWG should move forward with future publication of it's SAML2int work.
- Signing and encryptions language should be revisitedNate pointed out that the existing profile language requires that assertions MUST be signed. Due to recently discovered vulnerabilities in XML Encryption, best practices have changed since this language was drafted, and the language needs to be modified as well. The tentative recommendation would be to sign the response, optionally encrypt assertions, and optionally sign assertions for situations where the assertion may be forwarded alone, e.g. delegation. John pointed out that for some legal purposes in some countries, signature of an encrypted object is not sufficient for non-repudiation, and as a result, signature of the assertion remains important in that instance as well. The workgroup will discuss this further.
- John will begin this thread and circulate via the list.
...