OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services-comment] SAML 2.0 Identity Provider Discover Profile


Thanks, comments inline:
 
> Section 4.3 of [SAMLProf]
> 
> [lines 1063--1064]  Delete the phrase "when authentication of the
> principal occurs" since the common domain writing service has no
> knowledge of this event.  The service is simply carrying out the
> wishes of the IdP.

Noted.

> [line 1066]  The phrases "no Path prefix" and "a Path prefix of "/""
> refer to the most specific and most general paths, respectively.  Is
> this intentional, and if so, why?

I think this was a Liberty error, thinking that omitting the path would be
equivalent to "/", which is incorrect. I will check next call, but have
tentatively changed this.

> [lines 1066--1067]  The phrase "[common-domain]" is not well defined. 
> Suppose the common domain is CommonDomain.com.  Then the Domain
> attribute of the cookie should be set to ".CommonDomain.com".  RFC
> 2109 states that the Domain attribute "must always start with a dot." 
> RFC 2965 (which obsoletes RFC 2109) states that if the Domain
> attribute "does not start with a dot, the user agent supplies a
> leading dot."  It is safest, however, to explicitly include the dot.

Have added a SHOULD to include a leading period. The RFCs seem to be in
practice meaningless, but a period does no harm.

> [line 1098]  The common domain server does not "set the cookie" on
> behalf of the service provider.  Instead, it READS the cookie and
> (presumably) returns the value in a query string parameter.

Already noted and fixed.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]