OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [security-services-comment] Public Comment

-----Original Message-----
From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] 
Sent: Monday, March 15, 2004 7:52 PM
To: security-services-comment@lists.oasis-open.org
Subject: [security-services-comment] Public Comment

Comment from: pnshenoy@uncc.edu

It came to my notice while reading the Technical Overview (rev 03, posted in
March) that the description provided in section 4.1.2 for "Detailed
Processing for the Destination-Site First Scenario" is not proper. 

It also does not match with Figure 10 that it is supposed to represent. I
already have compiled it and also redrew the figure to provide a correct
expression of the intended case scenario.

Some points for immediate cross-checking 
<-- ISSUE 1 -->
Section 4.1.2, Step 2: The local web site performs an access check and
determines that the user must be authenticated by the central site. A
redirect on is issued to the central site.Typically,this redirect on is to
the central site's Inter-site Transfer Service
<Correction> Figure 10 shows the local web site to be www.abc.com, this is a
mistake and can be confusing for readers who are reading this for the first
time. Instead of local web site, you can put www.xyz.com,or for the sake of
consistency use remote site. Also, there is no mention of the central site
in the diagram. Is it there ??????

<-- ISSUE 2 -->
Section 4.1.2, Step 3: The www.abc.com SAML responder supplies back a SAML
response message containing the assertion generated during step 7.
<Correction>  The assertion is generated in step 6 according the your
description. Is is a copy-paste error ? There is no SAML responder in the
diagram, although it can be understood to be an abstract backend entity
doing the processing.It would be great if you show a functional block for
SAML responder at www.abc.com.

Also, i think the figure 10 itself is incorrect and needs to be revised.

There are a couple of other corrections that i have to suggest. Although, i
sincerely feel that reading thess comments and revising the document will
highlight rest of the issues in the Section.

These comments are based on my understanding of the SAML protocol. If the TC
thinks that these comments are invalid, please intimate me about it.



To unsubscribe from this list, send a post to
security-services-comment-unsubscribe@lists.oasis-open.org, or visit

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]