RE: [security-services] Editorial Update to Section 3.3 of confor mance

["Scott Cantor" <cantor.2@osu.edu>]

> - I was thinking at Obtained is a super class 
> (generalization) of Prior, Implicit, and Explicit? But this 
> isn't a conformance question rather a spec interpretation.

Yes, it's a superset.

> - It is not clear if consent can be obtained generally for 
> Saml 2.0 usage (i.e., is that sufficient), or do your 
> comments apply to every requesting protocol (i.e., you need 
> to have a way to obtain consent for authn request, for 
> logout, for fed id termination, for name id mapping, etc...). 
> Sounds like consent has to apply to all requesting protocols, 
> therefore, a conformant implementation has to be able to ask 
> for consent each time. 

It's per message, but I think you're missing the point here (both of you).
The SAML 2.0 implementation's job is not to ask for consent, but to reflect
whether consent was obtained. If your implementation wants to directly
interact with the user to do that, that's up to you, but a conforming
implementation just needs a per-request knob to indicate the value to use.
Which might be set at deploy-time to "unspecified"/omit.

-- Scott