I owed proposed text for PE52.
My original PE52 comment dealt with Profiles lines 556-7, which states that a NotOnOrAfter attribute in the ** <SubjectConfirmationData> ** element MUST be included in the SSO profile so that it “limits the window during which the assertion can be delivered”. Note that the text is not talking about the NotOnOrAfter attribute on the <Conditions> element.
I pointed out that Core defines the attribute on the <SubjectConfirmationData> element as being the time after which the subject can’t be confirmed. So my point was that the text in profiles should be described in terms of its definition in Core. Otherwise, it’s being used for something in the profile that it’s not defined for in Core.
IMO, it is the NotBefore/NotOnOrAfter attributes on the <Conditions> element that limits the window during which an assertion can be delivered (or more specifically, when it will be considered valid by a recipient). But IMO, the NotOnOrAfter on the <SubjectConfirmationData> element just limits the window during which the subject can be confirmed, and that window might conceivably be different from the assertions validity window based on the <Conditions> element.
Now I don’t know if any implementations actually use different values for the NotOnOrAfter attribute on these two elements, but technically they could be different. If they are different, then the text in profiles could technically be wrong as I read it.
So my proposed text changes Profiles lines 556-7 from “a NotOnOrAfter attribute that limits the window during which the assertion can be delivered” to “a NotOnOrAfter attribute that limits the window during which the recipient can perform a confirmation of the assertion <Subject>”.