[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07
> Perhaps you're right. Note, I'm not objecting to the text, much like in the other case, just suggesting it may not belong here. > > This seems like a good errata for core, more than a specific addition to > > this profile. I agree that the current text doesn't read all that well. It > > implies that the IdP has to return an error, but it doesn't come out and > say > > it, so I think we should clean that up. > > That's fine. I will add a PE to my backlog. > In the case of HoK Web Browser SSO, the problem is likely associated > with the X.509 certificate obtained from TLS client auth (so the > RequestUnsupported status code is relevant, I think). In some cases, sure, but I don't think we need to require it. As a matter of interop, there aren't many cases where mandating a second level status is worth bothering with. > There's not much we can do about this in the HoK Web Browser SSO > Profile except to perhaps RECOMMEND to the client to use a DER-encoded > certificate. I doubt that recommendation is gonna make much > difference, however. Based on the feedback I'm getting, it pretty much makes no difference. The problem is that if people get non-DER certs, they're stuck with them. That's kind of the problem here. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]