OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] Comments on bindings-13


These comments are from an expanded internal review here at RSA.  Sorry I couldn't get these late last week.

 

  1. Global comment - while the term "Requester" is defined in the glossary, "Responder" is not.  Both are used throughout the bindings spec.  Suggest a global "s/responder/authority/" (or add responder to the glossary).
  2. Sections 4.1.1.4 and 4.1.1.5 - The description of these steps in the Browser/Artifact profile refer to the "assertion consumer" service at the destination site. The "assertion consumer" term is also used in the Browser/POST description.  But in the Browser/Artifact Profile, this service is not an assertion consumer - it is an artifact consumer and thus should be renamed. Substitute "artifact" for "assertion" in lines 475, 479, 482, 483, 498, 499, 505, 506, and 514.
  3. Lines 495, 514, 728: The phrase "exposed over SSL..." sounds strange to folks since what we're doing is preventing the URL from being exposed to attack. Recommend "protected by SSL...".
  4. Line 608: s/must MUST/MUST/
  5. Line 679: replace "browser/artifact" with "browser/POST"
  6. Line 711: The "Submit" button should not be included in the HTML FORM body that "MUST" be used.  Lines 765-775 contradict this explaining how to avoid using the submit button.  Thus, line 711 should be deleted.
  7. Lines 765-775: First, the Note seems out of place since it is indented immediately following a comment about <ConfirmationMethod> which has nothing to do with it.  Recommend removing the note and inserting the following paragraph after line 744:

 

"Posting the form can be triggered by various means. For example, a "submit" button could be included in the HTML FORM described in Step 2 by including the following line:

<INPUT TYPE="Submit" NAME="button" Value="Submit">

This requires the user to click the Submit button in order for the POST request to be sent. Alternatively, Javascript can be used to avoid the user interaction:"

            [include the javascript from lines 767-775]

 

  1. Line 838: refers to [AES], but an [AES] reference doesn't exist in the References section on pp 26-27.

 

 

 

Rob Philpott

RSA Security Inc.

The Most Trusted Name in e-Security

Tel: 781-515-7115

Mobile: 617-510-0893

Fax: 781-515-7020

mailto:rphilpott@rsasecurity.com

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC