OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SSO Profile confusion

Title: RE: [security-services] SSO Profile confusion

Brian, Scott, correct. Thanks for the clarifications.


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Thursday, July 28, 2005 2:35 PM
> To: Thomas Wisniewski
> Cc: Brian Campbell; SAML
> Subject: Re: [security-services] SSO Profile confusion
> Thomas Wisniewski wrote:
> > Can you clarify the following bullets in Profiles: 576,
> 578, and 580,
> > and 584 -- which seem to contradict the above statement.
> They imply that
> > one MUST verify various pieces against *any* bearer conf
> method (even if
> > there is one that satisfied all requirements already)?
> As Brian said, I don't think it makes sense to check all of
> them based
> on the rules that always made confirmation "any one of".
> Plus if you did check them all, they'd all have the same
> values and it
> would just be silly to have them, right?
> I think it's just a matter of changing "any" to "the" or
> perhaps "a". We
> need some language to explain the concept here, I guess, that you're
> looking for a bearer method that contains all the required attributes
> (Recipient and NotOnOrAfter) and also passes the checking.
> But what to do with multiple assertions is still too vague, not to
> mention multiple authn statements. Nobody but me seemed to be
> all that
> bothered by it at the time, so I concluded that having implemented it
> before in 1.1, that I was the only one confused by that.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]