OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] question on MNI request for SP Lite/IdP Lite

ARI KERMAIER wrote on 2009-03-25:
> have two questions which I would like feedback from SSTC on. 	[Ari
> Kermaier] What business does a Lite implementation have using persistent
> NameIDs? My (admittedly dim) recollection of the origins of this
> conformance mode is that it stemmed from the concern of some SP
> implementers that they could not be conformant unless they had account
> linking data storage that would persist from one user session to the
> next. It seems to me, that the idea of a Lite implementation is
> inconsistent with the persistent NameID processing rules, and that
> differentiating based on support for MNI is really just a proxy for
> differentiating based on persistence.

Technically the rules involved aren't specific to persistent IDs, at least
on the SP side. Definitely some impact on the IdP side. The other component
had to do with server-side state (e.g. back channel logout, which means you
can't leave the state solely in a cookie).

But I think it was a mistake to make those features MUST NOT. More than one
person has asked what that means, and I can't come up with an answer.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]