I don't believe proxy and renew can go together logically, not in any sense I know them, but the following text can be misleading in light of that assumption:
2.6. /proxyValidate [CAS 2.0] /proxyValidate MUST perform the same validation tasks as /serviceValidate and additionally validate proxy tickets. /proxyValidate MUST be capable of validating both service tickets and proxy tickets. See Section 2.5.4 for details. 2.6.1. parameters /proxyValidate has the same parameter requirements as /serviceValidate. See Section 2.5.1. So given that proxy tickets cannot support forced authentication (renew) since all the communication is back-channel, a request to validate a proxy ticket with the renew flag set makes no sense. I believe the text at present means "if a service ticket is presented, then renew is valid; otherwise the behavior is indeterminate" since /proxyValidate MUST handle both service and proxy tickets. I think it would be helpful to make that distinction more clear in the spec. Moreover, I would recommend that we spell out the expected behavior on sending invalid protocol parameter sets; for example: "If a proxy ticket is presented to /proxyValidate with the renew parameter set, validation MUST fail with INVALID_REQUEST." M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
