OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Stateless Conformity To SAML

> "Worthless" may be a bit strong, but absolutely believe that it
> significantly undermines conformance claims overall.  To stub out 
> processing of the protocol would get you a pass on a (as of yet non-
> existent) conformance test, but it does the customer no good.  

Right, that's my point. But I don't see how adhering to this protocol
implies things about the implementation that other people seem to think it
implies. So I think that's significant for understanding what conformance
really means.

> This isn't to suggest that conformance claims guarantee the customer of a 
> useful product, but it should at least suggest the vendor's intentions.
> And here is a case where we would be pressing vendors to claim 
> conformance to something they may have no intention of really leveraging.

Well, my issue I guess is that as an implementer I need to understand what
"supporting" this feature means. I don't see anything in either the profile
or protocol that implies anything about what the implementation has to do to
satisfy the rules. It clearly means, if you have any notion of "remembering"
users within the SAML implementation, that you're updating state. But that's
a big "if" to me and it's not clear to me that a claim of conformance is
specific enough to answer it.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]