RE: [security-services] Stateless Conformity To SAML

["Steve Anderson" <sanderson@opennetwork.com>]

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, July 30, 2004 2:37 PM
> To: Steve Anderson; security-services@lists.oasis-open.org
> Subject: RE: [security-services] Stateless Conformity To SAML
> 
> 
> > "Worthless" may be a bit strong, but absolutely believe that it
> > significantly undermines conformance claims overall.  To stub out 
> > processing of the protocol would get you a pass on a (as of yet non-
> > existent) conformance test, but it does the customer no good.  
> 
> Right, that's my point. But I don't see how adhering to this protocol
> implies things about the implementation that other people seem to think it
> implies. So I think that's significant for understanding what conformance
> really means.
> 
> > This isn't to suggest that conformance claims guarantee the customer of a 
> > useful product, but it should at least suggest the vendor's intentions.
> > And here is a case where we would be pressing vendors to claim 
> > conformance to something they may have no intention of really leveraging.
> 
> Well, my issue I guess is that as an implementer I need to understand what
> "supporting" this feature means. I don't see anything in either the profile
> or protocol that implies anything about what the implementation has to do to
> satisfy the rules. It clearly means, if you have any notion of "remembering"
> users within the SAML implementation, that you're updating state. But that's
> a big "if" to me and it's not clear to me that a claim of conformance is
> specific enough to answer it.
> 
> -- Scott

And that's my point -- a conformance claim should offer a helpful clue, and at 
the very least, not be misleading.  Claiming conformance to Name ID management
messages seems very misleading if the product doesn't have any notion of
"remembering" users.
--
Steve Anderson
OpenNetwork