Ben Campbell <ben@xxxxxxxxxxx> writes: >> -- section 7 >> >> Does the GSS-API description introduce security considerations? If >> not, please say so. >> > > I did not see a response to this comment. I missed this in my last e-mail. I propose we add another sub-section of the security considerations like this: 7.5. GSS-API specific security considerations Security issues inherent in GSS-API (RFC 2743) and GS2 (RFC 5801) apply to the SAML GSS-API mechanism defined in this document. Further, and as discussed in section 4, proper TLS server identity verification is critical to the security of the mechanism. I believe this should cover the relevant security considerations. Of course, having more implementation experience with the SAML mechanism used as a GSS-API mechanism may help to identify further security considerations for the GSS-API mechanism. However, I don't believe that is a show-stopper that prevent publication now. /Simon _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf