OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Stateless Conformity To SAML

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, July 30, 2004 2:37 PM
> To: Steve Anderson; security-services@lists.oasis-open.org
> Subject: RE: [security-services] Stateless Conformity To SAML
> > "Worthless" may be a bit strong, but absolutely believe that it
> > significantly undermines conformance claims overall.  To stub out 
> > processing of the protocol would get you a pass on a (as of yet non-
> > existent) conformance test, but it does the customer no good.  
> Right, that's my point. But I don't see how adhering to this protocol
> implies things about the implementation that other people seem to think it
> implies. So I think that's significant for understanding what conformance
> really means.
> > This isn't to suggest that conformance claims guarantee the customer of a 
> > useful product, but it should at least suggest the vendor's intentions.
> > And here is a case where we would be pressing vendors to claim 
> > conformance to something they may have no intention of really leveraging.
> Well, my issue I guess is that as an implementer I need to understand what
> "supporting" this feature means. I don't see anything in either the profile
> or protocol that implies anything about what the implementation has to do to
> satisfy the rules. It clearly means, if you have any notion of "remembering"
> users within the SAML implementation, that you're updating state. But that's
> a big "if" to me and it's not clear to me that a claim of conformance is
> specific enough to answer it.
> -- Scott

And that's my point -- a conformance claim should offer a helpful clue, and at 
the very least, not be misleading.  Claiming conformance to Name ID management
messages seems very misleading if the product doesn't have any notion of
"remembering" users.
Steve Anderson

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]