These comments are from an expanded internal review here at
RSA. Sorry I couldn't get these late last week.
- Global comment - while the term "Requester"
is defined in the glossary, "Responder" is not. Both are
used throughout the bindings spec. Suggest a global "s/responder/authority/"
(or add responder to the glossary).
- Sections 4.1.1.4 and 4.1.1.5 - The description of
these steps in the Browser/Artifact profile refer to the "assertion consumer" service at the destination site. The "assertion
consumer" term is also used in the Browser/POST description.
But in the Browser/Artifact Profile, this service is not an assertion
consumer - it is an artifact consumer and thus should be renamed. Substitute
"artifact" for "assertion" in lines 475, 479, 482,
483, 498, 499, 505, 506, and 514.
- Lines 495, 514, 728: The phrase "exposed over SSL..."
sounds strange to folks since what we're doing is preventing the URL
from being exposed to attack. Recommend "protected by SSL...".
- Line 608: s/must MUST/MUST/
- Line 679: replace "browser/artifact" with "browser/POST"
- Line 711: The "Submit" button should not be
included in the HTML FORM body that "MUST" be used. Lines
765-775 contradict this explaining how to avoid using the submit button.
Thus, line 711 should be deleted.
- Lines 765-775: First, the Note seems out of place since
it is indented immediately following a comment about <ConfirmationMethod>
which has nothing to do with it. Recommend removing the note and inserting
the following paragraph after line 744:
"Posting the form can be triggered by various means. For
example, a "submit" button could be included in the HTML FORM
described in Step 2 by including the following line:
<INPUT TYPE="Submit"
NAME="button" Value="Submit">
This requires the user to click the Submit button in order
for the POST request to be sent. Alternatively, Javascript can be used to avoid
the user interaction:"
[include
the javascript from lines 767-775]
- Line 838: refers to [AES], but an [AES] reference doesn't
exist in the References section on pp 26-27.
Rob
Philpott
RSA Security Inc.
The Most Trusted Name in
e-Security
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com