[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on draft-cantor-saml-sso-delegation-01
1. First, a dumb question -- How does a recipient distinguish between a delegated SAML assertion and one that is not so delegated? I guess the only way to do so is to examine the relationship between the attesting entity, the subject of the assertion and a <saml:SubjectConfirmation> element. It would be helpful we could establish some definitions or clarifications here, even if they are purely informational. I guess the "SenderVouches" model was a slash and burn way of marking an assertion as delegated. Unfortunately, it does not carry a confirming key with it and so not that helpful is many contexts. 2. I suggest changing lines 271-273 to: "Method attribute set to any one of urn::oasis:names:tc:SAML:2.0:cm::holder-of-key, urn::oasis:names:tc:SAML:2.0:cm:sender-vouches, urn::oasis:names:tc:SAML:2.0:cm:bearer. In some cases (e.g., holder-of-key) it may also designate a specific key." 3. line 300 Is the audience element (urn:mace:shiboleth:2.0:profiles:delegation) used here to signify delegated use of the assertion? I guess that might answer question 1 above. This seems to be confirmed by lines 325-326. 4. lines 330-331 I am not sure I agree with this, to me it sounds like use of the delegation audience value is signalling possible delegation use (vs. vanilla HoK semantics). 5. lines 332-341, 381-383 Needs to extended with SV and bearer cases. I can provide some text in a follow-up message. ------------ - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]