security-services-comment message

Subject: RE: [security-services-comment] Schema encoding

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Harold Lockhart'" <hal.lockhart@oracle.com>,"'Agerbak, Per'" <per.agerbaek@capgemini.com>,<security-services-comment@lists.oasis-open.org>
Date: Mon, 26 Oct 2009 19:27:42 -0400

Harold Lockhart wrote on 2009-10-26:
> Does anyone know the intention behind this comment? Does SAML not do this?

I do recall them being left as ASCII. I seem to recall trying to change that
at some point pre-2.0, but there was push back that it was "more efficient"
to leave it as ASCII if the only characters used were ASCII.

My motivation for that at the time was definitely not WS-I compliance.

> In any event, since clearly the SAML schema CAN comply with this
> requirement, what is the issue?

There shouldn't be one, since all sane implementations that involve schemas
shouldn't be retrieving them remotely. Such a thing would be blatantly
insecure, so your local copy can always be altered.

-- Scott

References:
- Schema encoding
  - From: "Agerbak, Per" <per.agerbaek@capgemini.com>
- RE: [security-services-comment] Schema encoding
  - From: Harold Lockhart <hal.lockhart@oracle.com>