OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: comments re draft-sstc-saml2-infocard-01


Document ID: draft-sstc-saml2-infocard-01

Comments:

[lines 186--188] Granted, section 3.4 of [SAML2Core] says that "A SAML
authority that supports this protocol is also termed an identity
provider" but that doesn't preclude an IdP from supporting other
protocols, does it?  Where does it say that an IdP is an "entity that
issues authentication assertions"?  I think that definition is too
restrictive.  The definition I often give (correct or not) is that an
IdP is a producer of assertions.  You can fiddle with words a little
bit, but I think that's the correct level of generality.

[lines 212--217] This requirement seems to be more trouble than it's
worth.  Why not just map each and every such claim to a
<saml:Attribute> element?

[lines 241--242] If an Address XML attribute is included, what does
the RP need to do about it, if anything?  More generally, what does
the RP need to do to confirm the subject?  (This is a glaring
omission, I think.)

[lines 243--247] The normative language regarding the Recipient XML
attribute amounts to a meaningless requirement.  On the one hand, it's
a MUST (that depends on a condition no less), but then in the next
sentence it's a SHOULD NOT.  This paragraph needs to be cleaned up, I
think.

[lines 254--256] This is a meaningless requirement since the MUST
depends on a condition.  I suggest you remove the condition and
reformulate the requirement.

[lines 262--265] This paragraph is confusing since the SHOULD and the
MUST seem to contradict each other.  The condition on the SHOULD
doesn't help, either.

[lines 298--299] I don't believe [SAML2Prof] has anything to say about
confirmation of subjects, so I believe you need to spell this out.

[lines 306--307] I don't understand this sentence.  I guess I don't
know what "in the manner described by [ISIP]" means.  Is this really a
requirement about the use of SAML metadata or is it something else?

Suggested edits:

[line 15, 105, 161, 166, 167, 178, 179, 195, 269, 275, 302] s/SAML
2.0/SAML V2.0/

[line 131] Italicize "Assertions".

[line 181] s/safe,/safe/

[line 188] Expand "IP/STS".

[line 211, 268] s/e.g./e.g.,/

[line 226, 239] s/"Holder of Key"/holder-of-key/

[line 237] s/limit its/limit their/

[line 281, 285] s/i.e./i.e.,/

[line 284] s/RequestSecurityTokenTempplate/RequestSecurityTokenTemplate/

[line 303] s/as a supplement/and as a supplement/

[line 329] s/Acknowledgements/Acknowledgments/

Tom Scavo
NCSA


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]