OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Comments on core-2.0-cd-01

Scott, inline

>-----Original Message-----
>From: Scott Cantor [mailto:cantor.2@osu.edu]
>Sent: Thursday, August 26, 2004 11:33 AM
>To: 'Paul Madsen'; security-services@lists.oasis-open.org
>Subject: RE: [security-services] Comments on core-2.0-cd-01
>
>
>> Section 3.7.3.1 (Lines 2340-2344) - The conditions against 
>> which assertions are measured to determine if a 
>> <LogoutRequest> should be applied to omits the fundamental 
>> requirement of a match against any of BaseID or NamedID or 
>> EncryptedID. 

Excuse my line numbers (they must have been against the last call draft) 

The lines I'm referring to are actually 2423-2429 in CD. They appear to be
specific to guiding the session participant for <assertion>s received after
the <LogoutRequest>.

We don't mention that there must be match on NameID (or equivalent) even
though we do make this requirement in the paragraph above (Lines 2415-2417)
for the more general case when the <LogoutRequest> arrives after the
<Assertion>
 
>
>I think there's some language in the single logout profile about this,
>because there was a sense on my part that it wasn't obvious at the core
>protocol level exactly what relationship existed between 
>assertions and the
>logout process.
>
>Whereas in the profile, it's discussed more in the context of 
>SSO. See line
>1256 of profiles.
>
>I'm willing to say more, but it's not quite so clear where to do it.
>
>> Section 8.3 - 
>> urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted missing 
>> from list of valid Format values
>
>We *may* not want to place it there, because it's actually not a NameID
>Format, but rather only gets used in a NameIDPolicy element's Format
>attribute.
>
>It was an oversight not saying something more about it, but I 
>don't think we
>should add to that section.

Well the intro para for 8.3 says 'The following identifiers MAY be used in
the Format attribute of the <NameID>, <NameIDPolicy> ....' so the opening is
there to list it in this section.

In that case, the title of the section could be massaged.

Paul


>
>-- Scott
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]