[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SSO profile clarification
Just so this is tracked in the archives, I wanted to note a clarification on the SSO profile in case the spec does get submitted and we need to start an errata list (or whatever it's called). Line 555 of profiles cd-2g (the spec up for vote) says: "Any bearer <SubjectConfirmationData> elements MUST contain..." It proceeds to outline what has to be included in the element to feed subsequent SP processing rules down below. The intent of this paragraph was not that <SubjectConfirmationData> is optional in the profile. The wording is ambiguous because I was talking around the possible presence of other <SubjectConfirmation> elements in the same or other assertions in the response. The erratum would be something to the effect that the sentence should read: "Any bearer <SubjectConfirmation> elements MUST contain a <SubjectConfirmationData> element, which MUST contain..." The profile isn't exacly insecure without the element, because a lot of it is redundant with other assertion content (or could be redundant), but for consistency and to enable more freedom in the assertion, this is where the protections are specified, particularly with POST. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]