OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Comment on core-25 sec

>  I remain concerned about the semantics of this element. I 
> feel it has not been thought through in the SAML context but 
> perhaps imported from some specific or proprietary 
> implementation that may be of interest to a few individuals.

Given that more than one party felt it was needed, I don't think it's
fair to call it specific or proprietary. This is nothing earthshaking.
You've got a web browser profile and a protocol for getting other
assertions directly, but nothing to connect the two at runtime. Can you
handle it with the moral (but more complex) equivalent of /etc/hosts?
> Hence, I would request a vote concerning its 
> inclusion in SAML. I have raised similar questions before but 
> I do not feel they have been adequately answered [1].

I was surprised to see the element show up. My comment was neutral with
respect to that, but if it's there, I felt the text should be corrected,
and probably needs further clarification, as you say.

> But what is meant by the notion of "AuthorityKindType"?
> It seems misplaced in that a different question needs to be answered
> first: what type of service is implemented at the "Binding" URI?
> We have defined three request-response pairs in the 
> specification --- which one of them is implemented at the 
> "Binding" URI? All three? Only one of the three?

Presumably, that's the assumption behind the "kinds", right? Three
different queries, so you get three different types of answers, and if
you tell me the same binding matches all three kinds, so be it.

> Once this question is answered, we can perhaps further 
> constrain the service by describing the types of statements 
> in assertions returned by the particular service. 

I think that's a much more interesting question, but since I'm a little
fuzzy on the whole idea behind the statements and RespondWith thing...

It *seems* like it would be intuitive that if I send you an
AttributeQuery, I want an AttributeStatement. And so on. Reading the
core doc, I see text to the effect that I will get back something
containing the type of statement I'd expect, but I could get back more
than that, presumably. Maybe that's where RespondWith comes in?

I think you expressed the position that RespondWith is a little fuzzy to
you too, with which I would concur. I see this as a similar issue, but
more clear in my mind as to intent, anyway.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC