[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi-comment] Comment on Identity Metasystem Interoperability
The IMI TC discussed on our call today. We divided this into multiple issues, issue numbers and resolutions inline below. http://lists.oasis-open.org/archives/imi/200904/msg00047.html A new draft with resolutions incorporated will be available in the next several days. -----Original Message----- From: Hal Lockhart [mailto:hal.lockhart@oracle.com] Sent: Wednesday, April 29, 2009 6:59 AM To: imi-comment@lists.oasis-open.org Subject: [imi-comment] Comment on Identity Metasystem Interoperability I am sorry this is late, I thought the deadline was today. Comments on identity-1.0-spce-cd-02.pdf ---------------- ---- Unclear text on end of STS chain http://tools.oasis-open.org/issues/browse/IMI-20 ---- Section 2.3 is much less clear then the rest of the document. lines 383-385 say: When following a chain of STSs, when an STS with an ic:RequireFederatedIdentityProvisioning declaration is encountered as per Section 3.2.1, this informs the Identity Selector that the STS is an IP/STS, rather than a member of the RP/STS chain. It is not clear what this means or what its significance is. If the intent is that the IP/STS marks the end of the chain, why not say so? ---- Resolution Change: this informs the Identity Selector that the STS is an IP/STS To: this informs the Identity Selector that the STS is an IP/STS and therefore ending the STS chain Assigned to editors Agreed editorial and non-substantive change. ---- ---------------- ---------------- ---- PPID in lines 390-392 should spell out what it stands for http://tools.oasis-open.org/issues/browse/IMI-21 ---- The mention of PPID in lines 390-392 should spell out what it stands for (private personal identifier) and include a forward reference to section 3.3.4 where it is defined. Perhaps this section could be moved to later in the document after PPID has been described. ---- Resolution Agreed, assigned to editors Agreed editorial and non-substantive change. ---- ---------------- ---------------- ---- Usage of term certificate is unclear http://tools.oasis-open.org/issues/browse/IMI-22 ---- The text makes repeated references to "certificate". Is certificate distinct from "token"? What qualifies as a certificate? PK certificate? X.509 certificate? PKIX profiled certificate? Does a Kerberos token qualify? How about a SAML token with a PK? What role does this certificate play? does it represent the identity of one of the parties? if so, which one? is it an encryption key for one of the parties? lines 397-399 say: Each RP/STS endpoint MUST provide a certificate. This certificate MAY be communicated either via Transport (such as HTTPS) or Message (such as WS-Security) Security. If Message Security is employed, transports not providing security (such as HTTP) may be used. Is the sender required to provide PoP of the private key? How exactly is the certificate to be sent? In the SOAP body? In the Security header? ---- Resolution Agreed to add definition of certificate to terminology section, note that it means X.509 unless otherwise qualified. Include description that certificate usage is dictated by underlying protocols, e.g. HTTPS or WSS except where noted. Editors to double check if there are any instances of certificate that are not X.509. Assigned to editors Agreed editorial and non-substantive change. ---- ---------------- ---------------- ---- Missing "claim type" in text http://tools.oasis-open.org/issues/browse/IMI-19 ---- line 687 says: This optional element provides a friendly name for this individual. It should read: This optional element provides a friendly name for this individual claim type. ---- Resolution Agreed, assigned to editors Agreed editorial and non-substantive change. ---- ---------------- Regards, Hal Lockhart Oracle Member of OASIS Tab
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]