Re: comments: sstc-saml-holder-of-key-browser-sso-draft-02

["Tom Scavo" <trscavo@gmail.com>]

Nate posed the following questions on the last call:

>  Feedback is requested on whether to integrate sections 2.4 and 2.5 of this draft for simplicity, or to leave them separate so that message processing is distinct from messaging.

Well, yes, I suspect section 2 might be better organized.  The
following comments may suggest an appropriate reorganization:

- Elaborate on the conformance section (1.3).  What sections are
normative?  Specifically, what sections apply to the IdP and what
sections apply to the SP?

- The introduction to section 2.4 directs the reader to various
subsections depending on the deployment scenario.  For this to work,
however, the subsections need to be rewritten so that they are
independent of one another.  In particular, section 2.4.4 must be
independent of sections 2.4.1--2.4.3 and section 2.4.5 must be
independent of sections 2.4.1--2.4.4.  More importantly, the
introduction doesn't mention the subsections in section 2.5 at all.

Finally, section 2.6 seems out of place and section 2.7 might be taken
out of section 2 altogether.

>  Widening or narrowing of this profile to encompass or clarify use cases would be considered.

I suggest bringing IdP Discovery within scope of this profile.  (See
lines 216--218 and 273--277.)  The presented X.509 certificate could
be profiled to carry the entityID of the user's preferred IdP.
Assuming the certificate is self-signed (which is a reasonable
assumption unless X.509 authentication is used), it may be constructed
to simultaneously preserve privacy and to facilitate discovery.

The SP need not be required to support IdP Discovery via X.509, but
profiling it here (which is a natural extension of this profile) will
promote interoperability for those SPs that do.

>  All other review and comment is gratefully accepted!

See the previous messages in this thread for comments.

Tom