OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Public Comment

Comment from: kjg@quadrasis.com

Glossary feedback: (sstc-saml-glossary-2.0-cd-01.pdf)

[Lines 78-83] 'Access' and 'Access Control' have the same definitions. I suspect that these should have different descriptions, however if this duplication is indeed intentional, wouldn't a simple cross-ref serve the purpose better?

[Line 124] 'Anonymity' definition is buried inside that of 'Affiliation'

[Lines 195-199] The terms 'simple session' and 'rich session' are italicized as if they would be defined elsewhere in this glossary -- they are not. The definition of 'Session' (lines 336-338) could be augmented to include these terms.

[Line 264] The special purpose terms 'active roles' and 'passive roles' are mentioned here but are not defined elsewhere in the glossary.

[Line 335] Question: does a 'Service Provider' provide services *to* a principal or *about* a principal? It seems that a PEP asks questions of a PDP (I assume that an 'Authorization Decision Provider' is actually a Service Provider) *about* principals.

[Lines 336-338] 'Session' is a key term and I think it could use more clarity. Important aspects such as what causes a session to start/end, whether between any two given system entities there can exist more than one simultaneous 'Session', is there an important distinction whether session state held at the networking, transport, or application/process level, the relationship between existing sessions and the concept of identity (de)federation. and so on would clarify the description further. For example, can one not have interactions with a 'stateless' application service (perhaps an enterprise bean) by means of a stateful SSL connection? In this case, just where is the 'Session' that SAML is most concerned about?

[Line 343]. It should be assumed by the reader that 'ASP site' does not involve a Web Site using Active Server Pages, right?

[Lines 344-349] The 'SSO Assertion' is not a term that I have found in the SAML Bind, though there is a reference to the ECP SSO profile which does not shed more light on just what an 'SSO Assertion' is. So far as I can tell, the Assertion schema does not mandate presence of one or more conditions in an assertion though the glossary entry indicates this is the case for SSO Assertions. Can you clarify where I would find more info about the 'SSO Assertion' in the SAML 2.0 doc set? Thanks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]