OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services-comment] comment on SAML V2.0 X.500/LDAP AttributeProfile: attribute options

Scott Cantor wrote:

> What is definite is that the FriendlyName is non-normative and would never
> be considered itself. 

Agree.

I suggest in section 2.3 around line 102 change
"that the derived SAML attribute names are unambiguous" to
"that the derived SAML attribute names, for X.500 attribute types
and LDAP attribute descriptions without any tagging options,
are unambiguous".

and one of the following possibilities:

(1) add a new paragraph to 2.3 before 2.3.1

    "Tagging options on LDAP attribute descriptions are not currently
     transferred in the Name field of SAML attributes."

     and add a new sentence to 2.3.1

     "However, two SAML attributes resulting from two LDAP attributes with
      the same attribute type and different attribute descriptions will
      also match for equality."

(2) add a new paragraph to 2.3 before 2.3.1

    "This profile only specifies the transfer of X.500 attributes and
     LDAP attributes in which the attribute descriptions have no tagging
     options.  Other profiles specify how SAML attributes are constructed
     for LDAP attributes with tagging options in the attribute descriptions."

(3) add a new sentence to 2.3.1

     "However, two LDAP attributes with the same attribute type and different
      attribute descriptions will match for equality."

     and add a new section 2.3.2

     2.3.2 Attribute description tagging options

     If the "binary" attribute description tagging option is present in the
     LDAP attribute, the LDAP attribute value should be encoded using the
     base64-encoding, as discussed in section 2.5 below.

     If a language tag attribute description tagging option [RFC 3866] is
     present in the LDAP attribute, then the language code from this option
     can be represented in the XML attribute xml:lang on the
     <AttributeValue> element.

     Other profiles specify how SAML attributes are constructed for LDAP
     attributes with other tagging options.


     [RFC 3866] Language Tags and Ranges in the Lightweight Directory Access
     Protocol (LDAP). K. Zeilenga, Ed.. July 2004.



BTW for the reference [LDAP]: RFC 3377 is obsoleted by RFC 4510.

4510 Lightweight Directory Access Protocol (LDAP): Technical
      Specification Road Map. K. Zeilenga. June 2006.

Mark Wahl
Informed Control Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]