OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments re sstc-saml-binding-simplesign-cd-04

SAML V2.0 HTTP POST "SimpleSign" Binding
Document ID sstc-saml-binding-simplesign-cd-04

Comments:

- [line 27] Replace this previous SSTC co-chair with a current co-chair.

- [lines 138--141] This paragraph belongs in section 2, which is normative.

- [line 153] The prefix SOAP-ENV: defined in the table is unused.

- [section 1.3] This section includes both normative and non-normative
references.

- [lines 197--199] This should be the Second Edition of the XML
Signature specification.

- Underlining should be replaced with italics and/or boldfaced throughout.

- [lines 222-225] This sentence appears to be saying just the opposite
of what's intended, I think.

- [line 249] What base64 encoding rules are you referring to?

- [lines 279--280] According the HTML4 spec, the enctype attribute on
the HTML <form> element defaults to
"application/x-www-form-urlencoded" so why MUST it be set to the
previous value?

- [lines 294--297] This requirement is actually a conformance
requirement and therefore it belongs in section 1.4.

- [lines 299--311] Should the concatenated strings be URL-encoded
before or after applying the signature algorithm?

- [lines 316--320] I'm not sure I understand the point being made in
this paragraph.  First, there are no form controls in an HTTP GET
request, so I'm not sure what you're referring to when you use that
term here.  Second, literal line feeds are not allowed in an URI, they
must be URL-encoded, right?  Do you still have problems have
URL-encoding?  I guess I find that hard to believe.

- What processing steps are required if the message is NOT SimpleSigned?

- [line 375] The normative requirement for TLS 1.0 is a requirement
for a version of TLS that has been twice obsoleted by two newer
versions of TLS.

- [lines 382--385] These lines are redundant with other lines in section 2.

- [lines 408--410] If the Signature form control is not present, may
the message be processed according to the SimpleSign binding spec?

Tom Scavo
NCSA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]