Re: [security-services] SLO processing rules

[Greg Whitehead <grw@trustgenix.com>]

I agree with Scott that the MUST added to line 1224 in profiles should 
be a SHOULD, at least to be consistent with everything else.

On whether or not we should consistently switch to MUST, I don't think 
it adds a lot of value in this case, since sending the LogoutRequest to 
session participants is something that may not be possible for various 
reasons (unsupported binding, network errors, etc) and we allow 
processing to continue in the event of those failures. So, I think a 
SHOULD is better than a MUST with exceptions.

-Greg

On Jan 6, 2005, at 11:10 AM, Scott Cantor wrote:

>> Scott, so perhaps the text slightly misleading. I know that
>> the SA rules say SHOULD, however, the initial definition
>> (section 3.7 4th paragraph), state that the SA MUST send a
>> LogoutRequest to ALL session participants.
>
> The MUST was a mistake that I didn't fix, it was supposed to be a 
> SHOULD
> because it was a SHOULD everywhere else in the rules before I added 
> this.
>
>> So currently the SHOULD implication in the SA rules really
>> applies to the first item (send LogoutRequest to proxying
>> IDPs) and the third item (terminate the session at the IDP).
>> The second item is a MUST because of the language in 3.7 4th
>> paragraph.
>
> All of them are supposed have the same language regardless.
>
>> In any case, I would propose to the TC to consider the SA
>> rules be changed from SHOULD to MUST -- as I think this is
>> the actual intent of the single logout in the general case.
>
> I don't know exactly how to resolve the issue in the time allowed.
>
> -- Scott
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> security-services-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: 
> security-services-help@lists.oasis-open.org