OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07

> Perhaps you're right.

Note, I'm not objecting to the text, much like in the other case, just
suggesting it may not belong here.

> > This seems like a good errata for core, more than a specific addition to
> > this profile. I agree that the current text doesn't read all that well.
> > implies that the IdP has to return an error, but it doesn't come out and
> say
> > it, so I think we should clean that up.
> That's fine.

I will add a PE to my backlog.

> In the case of HoK Web Browser SSO, the problem is likely associated
> with the X.509 certificate obtained from TLS client auth (so the
> RequestUnsupported status code is relevant, I think).

In some cases, sure, but I don't think we need to require it. As a matter of
interop, there aren't many cases where mandating a second level status is
worth bothering with.

> There's not much we can do about this in the HoK Web Browser SSO
> Profile except to perhaps RECOMMEND to the client to use a DER-encoded
> certificate.  I doubt that recommendation is gonna make much
> difference, however.

Based on the feedback I'm getting, it pretty much makes no difference. The
problem is that if people get non-DER certs, they're stuck with them. That's
kind of the problem here.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]