OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SSO profile clarification

Just so this is tracked in the archives, I wanted to note a clarification on
the SSO profile in case the spec does get submitted and we need to start an
errata list (or whatever it's called).

Line 555 of profiles cd-2g (the spec up for vote) says:

"Any bearer <SubjectConfirmationData> elements MUST contain..."

It proceeds to outline what has to be included in the element to feed
subsequent SP processing rules down below.

The intent of this paragraph was not that <SubjectConfirmationData> is
optional in the profile. The wording is ambiguous because I was talking
around the possible presence of other <SubjectConfirmation> elements in the
same or other assertions in the response.

The erratum would be something to the effect that the sentence should read:

"Any bearer <SubjectConfirmation> elements MUST contain a
<SubjectConfirmationData> element, which MUST contain..."

The profile isn't exacly insecure without the element, because a lot of it
is redundant with other assertion content (or could be redundant), but for
consistency and to enable more freedom in the assertion, this is where the
protections are specified, particularly with POST.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]