[OAUTH-WG] comment on draft-tschofenig-auth-audience-00.txt (incorrect use of audience)

[prateek mishra <prateek.mishra@oracle.com>]

Hi Hannes,

I wanted to point out that use of the term "audience" in this document 
is not consistent with the SAML 2.0 specification.


What you are referring to here as "audience" corresponds to 
<saml:destination> which is described as

[quote-saml2.0]
Destination [Optional]
A URI reference indicating the address to which this request has been 
sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection 
that is required by some
protocol bindings. If it is present, the actual recipient MUST check 
that the URI reference identifies the
location at which the message was received. If it does not, the request 
MUST be discarded. Some
protocol bindings may require the use of this attribute (see [SAMLBind]).
[\quote]

In contrast, <saml:audience>  is a means of /limiting the liability of 
the asserting party /and is described
in the following manner -

[quote-saml2.0]
  <Audience>
A URI reference that identifies an intended audience. The URI reference 
MAY identify a document
that describes the terms and conditions of audience membership. It MAY 
also contain the unique
identifier URI from a SAML name identifier that describes a system 
entity (see Section 8.3.6).
The audience restriction condition evaluates to Valid if and only if the 
SAML relying party is a member of
one or more of the audiences specified.

The SAML asserting party cannot prevent a party to whom the assertion is 
disclosed from taking action on
the basis of the information provided. However, the 
<AudienceRestriction> element allows the
SAML asserting party to state explicitly that no warranty is provided to 
such a party in a machine- and
human-readable form. While there can be no guarantee that a court would 
uphold such a warranty
exclusion in every circumstance, the probability of upholding the 
warranty exclusion is considerably
improved.
[\quote]

- prateek