shibboleth-dev - comments: draft-cantor-saml-sso-delegation-01
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Shibboleth Development <>
- Subject: comments: draft-cantor-saml-sso-delegation-01
- Date: Thu, 15 Dec 2005 14:27:03 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=UZzUQGl21dy38vvNEx3Sg1pmI8WQHHoj9uheROMqduYB1j4TxdGs918rAx/bQX98WvsvJBwIf8bnXCLfECHC7Sw3LtJ2Da4hScmQ34Pa4exhJ/2tIguUeqcojALTU9NbbkX6Hz1LHpprS8J6UXjonsptAz1GUuGHH0H85+1SyAY=
http://shibboleth.internet2.edu/docs/draft-cantor-saml-sso-delegation-01.pdf
Nits:
- [line 320] s/representinga/representing a/
- [line 340] s/Muliple/Multiple/
- [line 366] s/included/included in the request/
- [line 370] s/included/included in the request/
- [line 374] s/included/included in the request/
- [line 381] s/element/element in the request/
- [line 451] s/$/>/ (This typo was probably copied from [SAML2Prof, line
370].)
- [line 459] s/SubjectConfirmationData/saml:SubjectConfirmationData/
- [line 463] s/SubjectConfirmationData/saml:SubjectConfirmationData/
Bugs:
- The NotBefore attribute on line 450 is not allowed according to [SAML2Prof].
Questions:
- [lines 160--161] Do SPa and SPb reside in the same administrative domain?
- [line 248] s/access/authenticate to/ ?
- [line 326] s/authenticate and authorize/authenticate/ ?
- [line 386] s/establish/declare/ ?
- In [SAML2Prof, section 3.1], it says the holder of the key is
considered to be subject of the assertion. The example in section
3.1.6 bends this rule, doesn't it?
General (SAML2) questions:
- Do either SubjectConfirmationData/@NotOnOrAfter or
Conditions/@NotOnOrAfter implicitly refer to the lifetime of
Subject/NameID? (Yes, I'm still having trouble with the semantics of
transient identifiers.)
- In [SAML2Core], it says a <subject> element SHOULD NOT identify more
than one principal. Allowing SubjectConfirmation/NameID in addition
to Subject/NameID seems to contradict this goal, doesn't it?
- comments: draft-cantor-saml-sso-delegation-01, Tom Scavo, 12/15/2005
- RE: comments: draft-cantor-saml-sso-delegation-01, Scott Cantor, 12/15/2005
- Re: comments: draft-cantor-saml-sso-delegation-01, Tom Scavo, 12/15/2005
- RE: comments: draft-cantor-saml-sso-delegation-01, Scott Cantor, 12/15/2005
- Re: comments: draft-cantor-saml-sso-delegation-01, Tom Scavo, 12/15/2005
- RE: comments: draft-cantor-saml-sso-delegation-01, Scott Cantor, 12/15/2005
Archive powered by MHonArc 2.6.16.