Description
Incorporated feedback from John Linn, added references for SSL, OCSP and XKMS, added reference to Liberty Privacy and Security best practices, fixed links. Rewrote SOAP Binding Message Insertion threat section (6.1.3), Revised 6.4.1, authentication assertion required in POST binding for non SSO-profile to allow timely subject confirmation. Revised 6.4.4. browser state exposure not to require SSO assertion but should have OneTimeUse assertion conditions element. Removed requirement for SSO assertion in 6.5.1 stolen artifact discussion. Revised SSO threat/countermeasures to mention binding discussion. Provided countermeasure for message deletion in 7.1.1.6. Added cookie poisoning note to IDP Discovery profile. Added collusion threat and countermeasure to Name Identifier profile 7.2. Removed extra detail from NaimeIdentifier and Attribute Profile sections. Provided summary section 8, mentioning out of scope issues and purpose of document. Various editorial fixes.