[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: PE52
|
I owed proposed text for PE52. My original PE52 comment dealt with Profiles lines 556-7,
which states that a NotOnOrAfter attribute in the ** <SubjectConfirmationData>
** element MUST be included in the SSO profile so that it “limits the window
during which the assertion can be delivered”. Note that the text is not talking
about the NotOnOrAfter attribute on the <Conditions> element. I pointed out that Core defines the attribute on the <SubjectConfirmationData>
element as being the time after which the subject can’t be confirmed. So
my point was that the text in profiles should be described in terms of its definition
in Core. Otherwise, it’s being used for something in the profile
that it’s not defined for in Core. IMO, it is the NotBefore/NotOnOrAfter attributes on the
<Conditions> element that limits the window during which an assertion can
be delivered (or more specifically, when it will be considered valid by a
recipient). But IMO, the NotOnOrAfter on the
<SubjectConfirmationData> element just limits the window during which the
subject can be confirmed, and that window might conceivably be different from
the assertions validity window based on the <Conditions> element. Now I don’t know if any implementations actually use
different values for the NotOnOrAfter attribute on these two elements, but technically
they could be different. If they are different, then the text in profiles
could technically be wrong as I read it. So my proposed text changes Profiles
lines 556-7 from “a NotOnOrAfter attribute
that limits the window during which the assertion can be delivered” to “a
NotOnOrAfter attribute that limits the window
during which the recipient can perform a confirmation of the assertion <Subject>”. Rob Philpott |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]