[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Comment on core-25 sec 2.4.3.2
> I remain concerned about the semantics of this element. I > feel it has not been thought through in the SAML context but > perhaps imported from some specific or proprietary > implementation that may be of interest to a few individuals. Given that more than one party felt it was needed, I don't think it's fair to call it specific or proprietary. This is nothing earthshaking. You've got a web browser profile and a protocol for getting other assertions directly, but nothing to connect the two at runtime. Can you handle it with the moral (but more complex) equivalent of /etc/hosts? Sure. > Hence, I would request a vote concerning its > inclusion in SAML. I have raised similar questions before but > I do not feel they have been adequately answered [1]. I was surprised to see the element show up. My comment was neutral with respect to that, but if it's there, I felt the text should be corrected, and probably needs further clarification, as you say. > But what is meant by the notion of "AuthorityKindType"? > It seems misplaced in that a different question needs to be answered > first: what type of service is implemented at the "Binding" URI? > > We have defined three request-response pairs in the > specification --- which one of them is implemented at the > "Binding" URI? All three? Only one of the three? Presumably, that's the assumption behind the "kinds", right? Three different queries, so you get three different types of answers, and if you tell me the same binding matches all three kinds, so be it. > Once this question is answered, we can perhaps further > constrain the service by describing the types of statements > in assertions returned by the particular service. I think that's a much more interesting question, but since I'm a little fuzzy on the whole idea behind the statements and RespondWith thing... It *seems* like it would be intuitive that if I send you an AttributeQuery, I want an AttributeStatement. And so on. Reading the core doc, I see text to the effect that I will get back something containing the type of statement I'd expect, but I could get back more than that, presumably. Maybe that's where RespondWith comes in? I think you expressed the position that RespondWith is a little fuzzy to you too, with which I would concur. I see this as a similar issue, but more clear in my mind as to intent, anyway. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC