atom feed14 messages in org.oasis-open.lists.security-servicesRE: [security-services] comments re s...
FromSent OnAttachments
Tom ScavoOct 17, 2008 4:59 pm 
Nate KlingensteinNov 2, 2008 8:14 pm 
Tom ScavoNov 4, 2008 7:47 am 
Scott CantorNov 4, 2008 8:09 am 
Scott CantorNov 4, 2008 8:38 am 
Tom ScavoNov 4, 2008 8:39 am 
Tom ScavoNov 9, 2008 11:27 am 
Nate KlingensteinNov 9, 2008 9:13 pm 
Tom ScavoNov 10, 2008 5:38 am 
Mary McRaeNov 10, 2008 5:53 am 
Scott CantorNov 10, 2008 7:32 am 
Tom ScavoNov 10, 2008 10:53 am 
Scott CantorNov 10, 2008 11:48 am 
Tom ScavoNov 10, 2008 12:02 pm 
Subject:RE: [security-services] comments re sstc-saml-holder-of-key-browser-sso-draft-07
From:Scott Cantor (cant@osu.edu)
Date:Nov 10, 2008 11:48:44 am
List:org.oasis-open.lists.security-services

Perhaps you're right.

Note, I'm not objecting to the text, much like in the other case, just suggesting it may not belong here.

This seems like a good errata for core, more than a specific addition to this profile. I agree that the current text doesn't read all that well. It implies that the IdP has to return an error, but it doesn't come out and say it, so I think we should clean that up.

That's fine.

I will add a PE to my backlog.

In the case of HoK Web Browser SSO, the problem is likely associated with the X.509 certificate obtained from TLS client auth (so the RequestUnsupported status code is relevant, I think).

In some cases, sure, but I don't think we need to require it. As a matter of interop, there aren't many cases where mandating a second level status is worth bothering with.

There's not much we can do about this in the HoK Web Browser SSO Profile except to perhaps RECOMMEND to the client to use a DER-encoded certificate. I doubt that recommendation is gonna make much difference, however.

Based on the feedback I'm getting, it pretty much makes no difference. The problem is that if people get non-DER certs, they're stuck with them. That's kind of the problem here.

-- Scott