SAML Token Profile 1.1 comments

[<Frederick.Hirsch@nokia.com>]

Ron

Thanks for an improved revision to the SAML Token Profile. I have a few questions and suggestions as well as a number of editorial comments (typos).

Line numbers refer to the PDF with change bars at 
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/12686/WSS-SAML-TOKEN-PROFILE-1.1-wd-02-changes.pdf

Comments:

1) Line 195, should the definition of "SAML Assertion Authority" be "A system entity that issues SAML assertions."? Not sure why it is abstract, part of the current definition.

2) Section 3.4, line 436-7, should we restate requirement in the MUST NOT form (keeping the same meaning):

"A key identifier MUST NOT be used to reference a remote SAML V2.0 assertion, i.e. an assertion not contained within the same SOAP message." 

3) Footnote #4, after line 450, we should also refer to the 1.1 core (avoiding possible confusion regarding applicability of errata) , adding sentence:
"This change has been merged into WSS: SOAP Message Security 1.1 as well."

4) at line 469, remove "doubly-referenced", possibly confusing, maybe not always doubly-referenced.

5) line 489, not clear what is meant by "not included in this profile". Does this mean not addressed, or not allowed?  Suggest change to "not addressed by this profile"

6) Line 499, replace "compatible' with "conformant"

7) 605-608, for clarity, show full example (it is short) rather than just changed urls.

8) Line 667, change SHOULD to a MUST, producing

"The STR Dereference transform MUST NOT be applied to an embedded reference."

9) Are you sure the sender-vouches examples are correct (section 3.5.2.3 and 3.5.2.4)? They seem to use the holder-of-key confirmation method (lines 1034 and 1134).

Typos/Editorial

10) Section 1.1 

line 142 is awkward
s/including for/including the use of such assertions for/

line 145 - not required to be referenced
s/and referenced/and may be referenced/

line 145
s/wsse:security/wsse:Security/ (actually just do this globally in the document)

line 146
s/are used/may be used/

line 151 
s/for/in conjunction with/

11) Section 3.2

in 3.2.1 line 223 s/AssertionID/AssertionID"/

in footnote 3 after line 266, s/ds:keyinfo/ds:KeyInfo/ (actually just do this globally in the document)
also line 651

12) Section 3.4

in 3.4.1 line 510 s/in the header/in the SOAP header/

in 3.4.2 line 645 s/<ds:KeyInfo elements may/Such <ds:KeyInfo elements referencing SAML assertions may/

in 3.4.3 line 671, s/not its reference/not the reference to it./

in 3.4.4 line 724 s/Security/<wsse:Security>/

14) Section 3.5

Why is "canonicalization" in italics, seems regular format would be appropriate for these usages.

line 990 s/act as/act for/
991 not clear what "and with the calims of the statements" means in this sentence. Remove?

line 998 s/SecurityTokeReference/SecurityTokenReference/

line 999 two times  s/ds:reference/ds:Reference/g  (do globally in document)

regards, Frederick

Frederick Hirsch
Nokia