OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] the value of AuthnInstant


I just find this errata interesting:

	I know you guys haven't been paying attention to what it says in
here in
	the spec, but we really mean business this time.  You should do
what the
	spec says in this area not ignore it.

Yes, I'm being a bit of a pain here, but that about sums up what an
errata
would end up saying.  The spec does call out for specific behavior and
because
some parties have ignored it in the past, we're going to add an errata 
that says you really need to do what the spec says.

Conor

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Wednesday, February 13, 2008 11:19 AM
> To: ari.kermaier@oracle.com; Cahill, Conor P; 'Tom Scavo'
> Cc: 'SAML Developers'
> Subject: RE: [saml-dev] the value of AuthnInstant
> 
> > I would say that if an IdP does not retain enough state to produce
an
> > AuthnStatement that is internally consistent (i.e., all the content
> > describes the same authentication event) then, in fact, it's not
> compliant.
> > Thus, if an IdP does not preserve the time that the user presented
his
> > password, it cannot claim Password AC after the first
AuthnStatement,
> and
> > must henceforth use ExistingSession as the AC.
> 
> That's fine. I'm simply pointing out (again) that SAML 1.1 had no such
> Authn
> Method defined in the spec and implementations did behave in the way
you
> think is non-compliant. In other words, the meaning of the timestamp
was
> deployment-specific.
> 
> Since there's rarely been any mention of that ExistingSession AC
class, it
> struck me as odd that one could argue SAML 2.0 changed this constraint
> without changing any of the relevant language in the spec to at least
note
> that, hey, now we can do this because we have an Authn Method (class)
that
> makes the difference clear.
> 
> So as Tom says, I think this is an errata.
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]