OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Comments on sstc-saml-core-2.0-draft-17.pdf (part 1, long)

I'm working on integrating some of these changes into core. Some specific
responses: 

> 658 - If one can only ever supply one OneTimeUse element, why is this 
> restricted in prose instead of schema? Should we not explain that 
> reasoning? BTW - line 772 duplicates the MUST
> 
> 663 - same comment as above, and MUST is also duplicated at line 803

The MUSTs are duplicated just for clarity. I didn't see it as a problem. The
reasoning of course is based on the xsi:type loophole, and it can't be
enforced in the schema (IMHO). I added a paragraph before the ConditionsType
schema is defined:

"Because the use of the xsi:type attribute would permit an assertion to
contain more than one instance of a SAML-defined subtype of ConditionsType
(such as OneTimeUseType), the schema does not explicitly limit the number of
times particular conditions may be included. A particular type of condition
MAY define limits on such use, as shown above."

> 774 and 805 - I am not sure what these sentences actually mean - "for 
> the purposes of determining the validity of the <Conditions> element, 
> the XXXX is considered to always be valid" - are you really saying that 
> the system entity evaluating the <Conditions> need not take these 
> conditions into account when determining overall validity of the 
> <Conditions> element?

Yes. The condition is "valid" in the sense that it has no impact on the
assertion's validity, it's a condition on use. Actually an Obligation, to be
honest about it. I added a short sentence to both to this effect.

> 863-870
> 
> I notice that the encrypted assertion type looks a lot like the 
> encrypted NameID type. I was wondering whether these could be derived 
> similarly - ie. define a BaseEncryptableType, and put the EncryptedData, 
> EncryptedKey into it.

As discussed in e-mail, the best we can do here is a model group, so I'm
going to incorporate one unless people don't want one.

> 898 - SubjectLocality - presumably this should refer to the subject 
> specified at the assertion-level? Should we say that?

Yeah, I actually saw some other spots where this clarification is useful.
I'll try and find others, particularly anywhere the phrase "statement's
subject" is used.

> 1318 - 1320 (also applies to 1382)  - lines are indented where they 
> probably shouldn't be. Also, this sentence makes me ask the question - 
> "What should I do if there's no signature present?" Can I also not rely 
> on the request?

I'm going to try and wordsmith this whole issue and we'll discuss it next
call.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]