Re: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-11.sxw uploaded

["Tom Scavo" <trscavo@gmail.com>]

Hi Ari,

On 1/16/07, Ari Kermaier <ari.kermaier@oracle.com> wrote:
>
> The concern I had with drafts 9 and 10 was that the structural and normative changes were too extensive to be consistent with what we were trying to accomplish by creating your new draft series for deployment profiles, etc. as distinct from the post-CD draft of the original profile.

I personally don't think drafts 9 and 10 are drastic changes to CD-02,
but of course YMMV.

> After the discussion, I thought we were in agreement that I should start from CD02, and incorporate the comments based on the work that you had done through draft-10. However, the AI's wording seems to suggest that production of draft-11 should literally start from draft-10. I think that would be a mistake, as rolling back the draft-10 changes that we plan to omit from draft-11 will be quite a bit more painful.

Okay, whatever is easiest for you.  I posted what I think is a
complete list of comments re CD-02 in a separate thread for reference.
 As long as those comments are considered (accepted or rejected, it
doesn't matter), then that's fine.

I've looked over your first crack at draft-11 and would like to offer
these initial comments:

- Will this profile ultimately be cast as a "Deployment Profile"?  It
should be, I think, since it solves exactly the same use case
addressed in the other Deployment Profile.

- The brief mention of SAML metadata is inadequate, I think.  How does
an SP distinguish IdP support for basic mode vs. encrypted mode?  More
importantly, how does an IdP advertise its support for other
X.509-based profiles (such as the Deployment Profile I uploaded
earlier).

I have other less significant comments, but they should probably wait
for an official draft 11.

Cheers,

Tom Scavo
NCSA/University of Illinois