OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Groups - draft-sstc-saml-idp-discovery-02.pdf uploaded

On 2/23/07, Scott Cantor <cantor.2@osu.edu> wrote:
> > - Early in section 2, can you list the steps in one place, at the
> > beginning?  Also, can you include a flow diagram that shows how the
> > Discovery Service fits into the larger Web SSO Profile?
> I didn't think it was long enough to need a separate stepwise intro.

Well, it might just be me, but I think you need to provide some
context for the details discussed in the subsequent subsections.

> > In other words, shouldn't the query string parameter on the
> > 'return' URL be suitably restricted to prevent parameter name clashes?
> >  What should the DS do if such a collision occurs?
> I don't think it's justified to make a DS check for it. I guess I should
> just say "MUST NOT include..." then.

I think you have a minor problem here.  The DS needs to check for this
edge case and take evasive action if there's a name clash.

Note that multiple HTTP parameter instances leads to unspecified
behavior.  Server-side web languages handle multi-valued parameters

> > - The purpose of the 'returnIDParam' parameter is confusing at first.
> > Can the brief explanation on lines 175--176 be clarified?  (Sorry, I
> > don't have anything to offer at this point.)
> Maybe it would help me if you explained what you thought it was for before
> you understood it?

I checked my notes, and my initial reaction was "huh?"  It was only
'til I got to section 2.4.3 that I understood the intent of that

> > - In section 2.5, what happens if the DS is unable to match the value
> > of the 'return' parameter with a location in metadata?
> I think either reporting the error

Error?  There is no error protocol as far as I can see.

> or returning nothing is acceptable and
> shouldn't be prescribed here.

I don't follow.  Seems the spec should explicitly tell the DS what to
do in this case.

> Returning nothing is required in the passive
> case, but otherwise it's got to depend on the deployment what to do.

I missed that.  Where does it say that returning nothing is the
prescribed thing to do?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]