[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] IdP Discovery
> It's not that you clear the cookie on logout, it's how you create the > cookie in the first place (as a session cookie or as a persistent > cookie). We don't say anything about that. I know, but it's both, because if you expect the cookie to represent session status, you better darn well clear it on logout. ;-) > > I think that's the intention. > > If that's the intention then we definitely need errata. Sounds like Conor at least is confirming my impression of what the original intent in ID-FF was, and I definitely had that intent in mind when we copied it over. So if we need errata around that, that should be no big deal to do. > You don't view communication through the _saml_idp HTTP > cookie as a wire protocol? No, a cookie format is effectively like a file format. Docbook is not a wire protocol. Sending docbook files around or sending a message asking what's in "section 5" would be. What my project is planning to do is decouple the implementation of "cookie reading" from "cookie writing", and that requires a wire protocol. > I can't speak for others, but I think that would be a great > contribution. We have a preliminary sketch of how it looks here: https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WAYFDev A formal doc is being worked on by a project member in the near future, but I can have him develop it as a draft contribution. On the surface it's mildly SAML flavored, but it basically just requires a few common conventions about what it means to be a party to SSO (the idea of uniquely identifying the parties) and that's about it. And obviously somebody implementing such a service can use the _saml_idp format (assinine as it is, thanks to my error) if they wanted to co-habitate with a CDC implementation. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]