OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services-comment] holder-of-key-browser-sso-draft-09


Hi, the following is a little bit in disorder:

- 2.2 lines 245 to 249 needs some work IMO.

  "globally unique namespace" can be easily misunderstood.
  (Later one talks about unique identifiers!)
  "mutually" trusted root means what? Who are the entities?
   isn't "PKI validation" related to CRL and OCSP?

   "or for all participants in SSO to utilise X.509": In the following
   description, both the SP and the IdP use X.509. (see end of 2.4.4
   and 2.4.6)

Both parties use keys exchanged in the form of X.509, but they do not
necessarily use PKI services such as certificate validation procedures
of X.509 or OCSP (in particular, the SP).

- There seems to be duplicate and slightly inconsistent text between
  among the corresponding subparagraphs of 2.3 and 2.4. One has in fact
   three descriptions if one counts the text in the figure of page 9.

Details:

The paragraph after line 258 on page 9 concerning
"Service Provider Determines Identity Provider":
261: add ", and/or any" before other at the end of the line.
I suggest to remove "such as the X.509 subject". Seems to be
inconsistent with "no need for globally unique namespace" in 2.2.

"This may done through the use of a discovery service as described in 
[IDPdisco],
by examining fields in a certificate if presented through TLS client 
authentication,
or any other means. " or remove the whole sentence

The last sentence  in line 266/267 is unclear. 
Using TLS is not a sufficient terminology. one has to
deduce from the graphics that client authneticaton is happening.
I am not sure then that the text is consistent with paragraph 2.4.3

in line 276, it is not indicated that TLS client authentication is used.
... presents this response in using TLS client authentication with the
    confirmed certificate.

Have fun.
Peter
  


S/MIME Cryptographic Signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]