[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comments re draft-sstc-metadata-iop-02
SAML V2.0 Metadata Interoperability Profile Document ID draft-sstc-metadata-iop-02 General comments: - The SAML V2.0 metadata specification [SAML2Meta] requires that signatures be verified. What if the consumer can not verify the signature? - A signature may appear on a RoleDescriptor or a AffiliationDescriptor element within an EntitiesDescriptor (or EntityDescriptor) element. What if the consumer can not verify the signature on a RoleDescriptor or a AffiliationDescriptor element? - In section 2.5.1, are you suggesting that keys bound to certificates be called out in metadata with the <ds:KeyValue> element? Why not use <ds:X509Data> exclusively in this case? - In section 2.5.1, you don't mention <ds:X509SKI> but as you know, this element is similar to <ds:X509Certificate> in that it unequivocally defines a key. - As noted in section 2.7, the validUntil and cacheDuration attributes are particularly important. However, [SAML2Meta] does not adequately treat the case when they appear on a RoleDescriptor or a AffiliationDescriptor element within an EntitiesDescriptor (or EntityDescriptor) element Specific comments: - [lines 163--165] Why is this reference normative? - [lines 189--191] I think this should reference the Second Edition of [XMLSig]. - [line 245] Is this subsection really needed? - [lines 257--258] I don't understand the normative requirement you're trying convey in this sentence. Shouldn't this be a MUST? - [lines 258--260] I don't understand this sentence. In what sense does this profile apply to the <md:RoleDescriptor> element? - [lines 278--279] This normative requirement is redundant since the previous section contains an identical requirement. - [lines 284--285] I don't see the point of allowing both forms in a single <ds:KeyInfo> element. This could be a source of problems in fact. For instance, how does a consumer process such a construct? - [lines 294--296] This requirement contradicts (in spirit, at least) section 3.1.5 of [SAML2Meta]. - [line 307] The parenthetical remark on this line is unclear. What does the pronoun "their" refer to? Suggested edits: - [line 179] s/S. Cantor/J. Hughes/ - [line 195] s/S. Cantor/S. Whitehead/ - [line 224] s/a public key infrastructure/an X.509-based public key infrastructure/ - [line 225] s/as in/as specified in/ - [line 268] s/i.e./i.e.,/ - [line 311, 332, 346] s/e.g./e.g.,/ Tom Scavo NCSA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]