Skip to Content.
Sympa Menu

shibboleth-dev - comments: draft-mace-shibboleth-arch-protocols-06

Subject: Shibboleth Developers

List archive

comments: draft-mace-shibboleth-arch-protocols-06


Chronological Thread 
  • From: Tom Scavo <>
  • To: Shibboleth Development <>
  • Subject: comments: draft-mace-shibboleth-arch-protocols-06
  • Date: Sun, 13 Feb 2005 11:47:02 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=nSnJqPn9tT+2GRiPw0v+qiHVyc2kfUPDAlh9myJT5lcfP+rnYTrPxOhL2vMDU8q3GM4za8OvyAPb+yeccwzkHOvSKMichHjS62gRlTxo6Il2mjVxGTtItRB69l357+S5Y7FnaL8ZpMEgt5m9F9eTcEnEArlK8588wrkYeIOD9xc=
Document: draft-mace-shibboleth-arch-protocols-06

[line 1, footer] Right align date and page.

[line 86] Insert reference to [RFC 2119].

[line 166] Italicize "identity provider".

[line 173, 237] Replace "provider ID" with "provider Id".

[lines 202--203] Insert non-breaking space between "section" and "3.2".

[line 217] Replace "a short-lived authentication assertion" with "an
authentication assertion". (I think you mean "short-lived" with
respect to the browser, but without further explanation the phrase is
easily misinterpreted.)

[line 231] Italicize "service provider".

[line 251, 498] Replace "out of band" with "out-of-band". (?)

[line 296, 662] URIs are often strictly lowercase. Should this one be
lowercase?

[line 309] Replace "Generally" with "Typically".

[line 325] Replace "Browser/POST" with "Browser/Artifact".

[lines 327--328] Replace the given parenthetic remark with "The base
SAML profiles presume successful authentication since they are
identity-provider-first profiles."

[line 361] Replace "1084819377" with "1050540300", which corresponds
to Thu, 17 Apr 2003 00:45:00 GMT. (This time value is one minute
prior to the AuthenticationInstant given on line 445.)

[line 491] Replace "a SAML artifact" with "a type 0x0001 SAML artifact".

[lines 494--495] Replace the value of the SAMLart parameter with
"AAH7iBsAkCvNPMBcQlDBx%2FAlFu8FW8FM5ZapUHYA8Nzz4nr19fBabdCU". This is
a type 0x0001 artifact with its SourceId equal to the SHA-1 hash of
"https://idp.example.org/shibboleth"; and a random AssertionHandle.

[line 521, 526, 557, 566] Remove the trailing slash in the provider Id.

[line 603] Replace "example in section 3.1.2.1" with "examples in the
previous sections".

[line 610] Delete the comma.

[line 612] Replace this line with "provider that originally issued the
identifier. Moreover, in <saml:Assertion> elements the value of the".

[line 620] Replace "SAML (and by extension Shibboleth) profiles" with
"SAML profiles (and by extension Shibboleth profiles)".

[line 623] Replace "one in" with "a metadata specification".

[line 635] Replace "this" with "the <md:EntitiesDescriptor>".

[line 657] Replace "this" with "an <md:IDPSSODescriptor>".

[line 659, 662, 669, 673, 677] Display the URI(s) on separate lines.

[lines 660--661] Join these lines.

[line 667] Replace "this" with "an <md:AuthnAuthorityDescriptor>".

[line 668] Delete the word "lookup".

[line 672] Replace "this" with "an <md:AttributeAuthorityDescriptor>".

[line 675] Replace "this" with "an <md:SPSSODescriptor>".

[line 684] Replace "directly" with "through the browser".

[line 686] Replace "by" with "in".

[line 689] Replace "information within" with "information contained within".

[lines 689--690] Delete the phrase "to the attacker".

[line 696] Replace "current profile" with "Authentication Request profile".

[line 700] Replace "makes unneeded information available" with
"releases unnecessary information".

[lines 703--704] Join these lines.

[lines 704--705] Replace this sentence with "For example, service
providers MAY use an opaque value in the target parameter, and
maintain the state associated with the request (such as the eventual
resource URL) using HTTP cookies."

[line 708] Replace "in conjunction with it or subsequently are" with
"in conjunction with it or subsequent to it are".

[line 713] Replace "authentication response" with "Authentication Request".

[line 718] Replace "It" with "Therefore, it".

[lines 717--718] Join these lines.

[line 721] This statement is false since the following references are
NOT cited in the body text: [RFC 2119], [SAML-XSD], [SAMLP-XSD],
[SAML2Prof], [SAMLMeta-xsd], and [LibertyBind]. Either cite these
references in the body text or delete them.

General comments and suggestions:

- What is the version number of this specification, or rather, how
does the reader associate this specification with a particular
implementation (or set of implementations)? Put another way, when the
Shibboleth architecture is rewritten for SAML2, what will be the title
of that document?

- Use normative language in section 2.2.5.

- Use additional normative language in the first paragraph of section 2.3.2.

- Use a more benign (i.e., typical) target parameter value in sections
3.1.1.4 and 3.1.3.1. (When I first saw this example I wondered why
there was a login page at the SP.)

- Did the SAML2 recommendation referred to on line 483 come to
fruition? If so, the sentence should be reworded.

- As recommended in section 3.2.4, why isn't the xsi:type attribute
included in example 3.2.3.1? (I'm not familiar enough with XML data
types to answer this question.)

  • comments: draft-mace-shibboleth-arch-protocols-06, Tom Scavo, 02/13/2005

Archive powered by MHonArc 2.6.16.

Top of Page