I am with you on the change; although I'd rather it not fail but ignore and spit out a warning somewhere.
-----Original Message----- From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: Tuesday, August 5, 2014 1:22 PM To: cas-dev@lists.jasig.org Subject: [cas-dev] CAS 2/3 Protocol Clarification w/r/t Proxy & Renew I don't believe proxy and renew can go together logically, not in any sense I know them, but the following text can be misleading in light of that assumption: 2.6. /proxyValidate [CAS 2.0] /proxyValidate MUST perform the same validation tasks as /serviceValidate and additionally validate proxy tickets. /proxyValidate MUST be capable of validating both service tickets and proxy tickets. See Section 2.5.4 for details. 2.6.1. parameters /proxyValidate has the same parameter requirements as /serviceValidate. See Section 2.5.1. So given that proxy tickets cannot support forced authentication (renew) since all the communication is back-channel, a request to validate a proxy ticket with the renew flag set makes no sense. I believe the text at present means "if a service ticket is presented, then renew is valid; otherwise the behavior is indeterminate" since /proxyValidate MUST handle both service and proxy tickets. I think it would be helpful to make that distinction more clear in the spec. Moreover, I would recommend that we spell out the expected behavior on sending invalid protocol parameter sets; for example: "If a proxy ticket is presented to /proxyValidate with the renew parameter set, validation MUST fail with INVALID_REQUEST." M -- You are currently subscribed to cas-dev@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
