[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Stateless Conformity To SAML
> "Worthless" may be a bit strong, but absolutely believe that it > significantly undermines conformance claims overall. To stub out > processing of the protocol would get you a pass on a (as of yet non- > existent) conformance test, but it does the customer no good. Right, that's my point. But I don't see how adhering to this protocol implies things about the implementation that other people seem to think it implies. So I think that's significant for understanding what conformance really means. > This isn't to suggest that conformance claims guarantee the customer of a > useful product, but it should at least suggest the vendor's intentions. > And here is a case where we would be pressing vendors to claim > conformance to something they may have no intention of really leveraging. Well, my issue I guess is that as an implementer I need to understand what "supporting" this feature means. I don't see anything in either the profile or protocol that implies anything about what the implementation has to do to satisfy the rules. It clearly means, if you have any notion of "remembering" users within the SAML implementation, that you're updating state. But that's a big "if" to me and it's not clear to me that a claim of conformance is specific enough to answer it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]