OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fwd: [security-services-comment] SAML 2.0 Identity Provider Discover Profile

---------- Forwarded message ----------
From: Tom Scavo <trscavo@gmail.com>
Date: Sun, 31 Oct 2004 21:54:12 -0500
Subject: Re: [security-services-comment] SAML 2.0 Identity Provider
Discover Profile
To: Scott Cantor <cantor.2@osu.edu>
Cc: SAML <security-services@lists.oasis-open.org>

On Sun, 31 Oct 2004 21:40:33 -0500, Scott Cantor <cantor.2@osu.edu> wrote:

> > Section 4.3 of [SAMLProf]
> >
> > [lines 1066--1067]  The phrase "[common-domain]" is not well defined.
> > Suppose the common domain is CommonDomain.com.  Then the Domain
> > attribute of the cookie should be set to ".CommonDomain.com".  RFC
> > 2109 states that the Domain attribute "must always start with a dot."
> > RFC 2965 (which obsoletes RFC 2109) states that if the Domain
> > attribute "does not start with a dot, the user agent supplies a
> > leading dot."  It is safest, however, to explicitly include the dot.
> Have added a SHOULD to include a leading period. The RFCs seem to be in
> practice meaningless, but a period does no harm.

Note that the liberty spec does indeed include a literal period inside
the double quotes.  (Did this get lost in translation?)  Note also
that the setDomain method of the javax.servlet.http.Cookie class also
requires a period.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]