[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comments: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02
Document: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02 Errata: [page 2, line 6] Replace "X.509v3" with "X.509v3 [RFC3280]" and add the reference to section 2. [page 2, line 8] Replace "urn:oasis:names:tc:SAML:2.0:profiles:x509authattributesharing" with "urn:oasis:names:tc:SAML:2.0:profiles:query:X509SubjectName". The URI of section 6 of [SAMLProf] is a prefix of the latter. [page 2, line 16] Replace "Attribute Query/Response Profile" with "Assertion Query/Request Profile", which is what it's called in [SAMLProf]. Remove the parenthetic comment. [page 2, line 21] Replace "i.e." with "i.e.,". [page 2, line 22] Replace "certificate and not a SAML assertion" with "certificate, not a SAML assertion". [page 2, line 24] Replace "Even after" with "After". [page 2, lines 27--29] Replace the last sentence of section 1.2.1 with "When the identity provider returns the relevant attributes, the service provider is able to make an informed access control decision." [page 2, line 32] Replace the hyphen with an em-dash. [page 3, line 1] Replace "User" with "Principal" in the box. [page 3, line 1] Number all arrows in the diagram. [page 3, line 4] Replace "HTTP User Agent, makes an HTTP request" with "HTTP user agent, makes a request". [page 3, lines 13--14] Replace "over the" with "using a". [page 3, line 15--17] Add normative language to the last sentence in this paragraph and move the sentence to a subsequent section. [page 3, line 22] Replace "for" with "pertaining to". [page 3, line 23] Add normative language to this sentence and move it to a subsequent section. [page 4, line 1] Replace "response" with "the response" and move this sentence to a subsequent section. [page 4, line 5] Replace "themselves" with "itself" and move this sentence to a subsequent section. [page 4, lines 12--14] Replace this sentence with "Based on the results of steps 5 and 6, the service returns the requested resource or returns an error." [page 4, line 15, 17] Remove this blank line. [page 4, line 33] Replace "the [Attribute Request/Response Profile]" with "section 6 of [SAMLProf]". [page 4, lines 34--35] Move this sentence to section 1.3. [page 4, line 37] Insert a space before "MUST". [page 4, line 39] A section number is apparently missing. [page 5, lines 6--7] This sentence is redundant. [page 5, line 18] Replace "mean" with "means". [page 5, line 22] Replace "issue" with "Issue". [page 5, line 24] Replace "the [Attribute Request/Response Profile]" with "section 6 of [SAMLProf]". [page 5, lines 25--26] This sentence is redundant. [page 5, line 29] Insert a comma after "successful". [page 5, line 31, 32] The word "element" is set in the wrong font. [page 5, line 32] Replace "<EncryptedAssertion>" with "<EncryptedAssertion> element". [page 5, line 35] Replace "<SubjectConfirmation>" with "<SubjectConfirmation> element". [page 5, line 35] Replace the second occurrence of "'holder-of-key'" with "'holder-of-key' is used". [page 5, line 37] Replace "themselves" with "itself". [page 5, line 40] What does "It" refer to? [page 5, line 40] This bulleted item should be the first bulleted item in the list. [page 6, lines 11--12] This sentence is redundant. [page 6, lines 21--28] All of the angle brackets are set in the wrong font. [page 6, line 29] Delete this blank line. [page 6, line 35, 37] Replace "Identity Providers" with "identity providers". [page 7, line 6] Delete this blank line. [page 8, line 7] Replace "[SAMLProfiles]" with "[SAMLProf]". Comments: - Insert the usual section 1 (Introduction) and section 1.1 (Notation). In particular, all prefixes should be defined in section 1.1. - All XML elements should be prefixed for clarity. - The introductory paragraph [page 2, lines 3--6] should reference section 6 of [SAMLProf], which itself references [SAMLCore] and [SAMLBind]. - Section 1.2.1, which contains introductory material, does not belong with the rest of the content in section 1. - Define "service provider" in section 1.2.1. (Evidently this is not the "service provider" of the browser profiles.) - In section 1.2.1, instead of saying "This is configured outside of SAML", suggest (and later show how to use) SAML 2.0 metadata. - In section 1.3, discuss the <saml:NameIdentifier> element alluded to on [page 3, lines 14--15]. - In the diagram on page 3 (and in the corresponding text), I think you can safely omit the steps "Request Authentication" and "Authentication", and assume that authentication occurs at step 1 in conjunction with the initial request. Since the profile focuses on the attribute exchange, such a simplification is particularly appealing. - In the sequence of steps on pages 3--4, remove any normative language from the steps not covered by this profile, that is, any step except steps 4 and 5. - Instead of a "service provider configuration setting" on line 19 of page 3, why not recommend using SAML 2.0 metadata? - In section 1.3, the security requirements seem overspecified. Wouldn't it be better to specify the requirements in more general terms (bilateral authentication, integrity, confidentiality) and leave the details as a deployment decision. You can make recommendations of course in section 1.4. - In section 1.3, why must the attributes be encrypted if integrity and confidentiality are assured by other means (such as SSl/TLS)? - In section 1.3.1 [line 32], did you intend to reference an assertion in the query or is this a typo? - On line 8 [page 5], is the symmetric key established out of band? - On lines 8--15 [page 5], I think you're making some unreasonable assumptions on behalf of the reader. You should define the xenc: prefix (in an introductory section) and give a reference to [XMLEnc]. - The opening sentence to section 1.3.2.1 refers to standard SAML protocol, does it not? - On lines 38--39 [page 5], you're assuming the IdP has access to the certificate (which is not generally true). - On line 2 [page 5], shouldn't the response be signed instead of the assertion? Same comment applies to lines 13--14. - In section 2, update the references to the most recent versions of the SAML 2.0 docs. Add [RFC3280] and [XMLEnc]. - How are you dealing with the IdP Discovery problem? - Throughout the document, an attempt should be made to separate the detailed security considerations from the general description of the profile. Why not add a section entitled "Security and Privacy Considerations".
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]