OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Comments on SAML technical overview section 5.1.3


Thanks for your feedback on the technical overview.  The document  
itself is fairly old and probably generally in need of revision.  I  
can respond to your specific suggestions, and feed them into the  
revision process when a TC member has time to initiate it.   
Unfortunately, we've got two or three major documents working their  
way through the TC right now, and several more work items are on the  
horizon, so I'm not sure when that time would arrive.

At such a time, we would intend to push the document through the non- 
standards-track mechanisms recently established by OASIS, so once  
initiated, it should go a little faster.

> - Figure 13 title is missing the name of the binding that it is  
> illustrating.
> - The explanatory text in section 5.1.3 explains that a HTTP POST  
> binding is being used, but the diagram does not seem to illustrate a  
> HTTP POST. Note that the processing explanation for step 2 says that  
> a form is sent back in a HTTP response, which does not seem to be  
> what the diagram illustrates.

The HTTP POST refers only to the AuthnRequest, so it's step 2 in the  
diagram which is wrong.  It should be a POST operation.  The rest of  
the diagram(binding excluded, of course) appears to be correct.

> - The phrase " ... message in cases where its length precludes the  
> use of the HTTP Redirect binding (which is typical)." does not make  
> it clear whether the HTTP Redirect is "typical", or whether it is  
> typical that the length of the message is such that it precludes the  
> HTTP Redirect.

I think better wording would be "the binding that is most commonly  
used," or maybe, "where atypically large size precludes"... Such a  
large AuthnRequest is clearly atypical.

> - The numbering of the steps describing the processing in 5.1.3 is  
> sequenced 1, 2, 1, 3 ... 8. I think that the second '1' is wrong.

Yes, it's extraneous due to poor formatting and should be removed.

> If there is a better way to provide this feedback, please let me know.

The best choice would be to use the security-services-comment@lists.oasis-open.org 
  mailing list.  I'll be glad to continue this conversation or handle  
any other questions/observations you might have there.


Thank you very much for the close read and contribution,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]