[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services-comment] Bindings/Profiles comments
I have some comments/questions on the Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) Committee Specification 01, 31, May 2002 http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-01.pdf Editorial: I believe the section #s for the SOAP over HTTP need to be updated, namely 3.1.3.2 on line [258] for authentication 3.1.3.3 on line [[263] for integrity 3.1.3.4 on line [267] for confidentiality Since SSL/TLS is recommended for inter-site transfer and artifact transmission, perhaps https should be shown in the examples at line [443], [483]. There is also a typo on [831], extra backslash. It might be helpful to clarify the expectations of SubjectConfirmationData and ds:KeyInfo usage for the different ConfirmationMethods in this profile. Is it true that only holder-of-key would be expected to have a ds:KeyInfo SubjectConfirmation element (For the assertion subject), and none would have SubjectConfirmationData? Presumably the Bearer method would have a ds:KeyInfo element as part of the SAML response signature, but this is separate from ConfirmationMethod. regards, Frederick --------------------------------------- Frederick Hirsch Technology Architect Nokia Mobile Phones 5 Wayside Rd., Burlington, MA 01803 USA frederick.hirsch@nokia.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC