Comment on Identity Metasystem Interoperability

["Hal Lockhart" <hal.lockhart@oracle.com>]

I am sorry this is late,  I thought the deadline was today.

Comments on identity-1.0-spce-cd-02.pdf

Section 2.3 is much less clear then the rest of the document.

lines 383-385 say:

  When following a chain of STSs, when an STS with an ic:RequireFederatedIdentityProvisioning declaration is 
  encountered as per Section 3.2.1, this informs the Identity Selector that the STS is an IP/STS, rather than a 
  member of the RP/STS chain.

It is not clear what this means or what its significance is. If the intent is that the IP/STS marks the end of the chain, why not say so?

The mention of PPID in lines 390-392 should spell out what it stands for (private personal identifier) and include a forward reference to section 3.3.4 where it is defined. Perhaps this section could be moved to later in the document after PPID has been described.

The text makes repeated references to "certificate". Is certificate distinct from "token"? What qualifies as a certificate? PK certificate? X.509 certificate? PKIX profiled certificate? Does a Kerberos token qualify? How about a SAML token with a PK?

What role does this certificate play? does it represent the identity of one of the parties? if so, which one? is it an encryption key for one of the parties? 

lines 397-399 say:

  Each RP/STS endpoint MUST provide a certificate. This certificate MAY be communicated either via Transport (such 
  as HTTPS) or Message (such as WS-Security) Security. If Message Security is employed, transports not providing 
  security (such as HTTP) may be used.

Is the sender required to provide PoP of the private key? How exactly is the certificate to be sent? In the SOAP body? In the Security header?


line 687 says:

  This optional element provides a friendly name for this individual.

It should read:

  This optional element provides a friendly name for this individual claim type.

Regards,

Hal Lockhart
Oracle
Member of OASIS Tab