URGENT: normative refs (was Re: [security-services] FW: status of ITUsubmission)

["Eve L. Maler" <Eve.Maler@Sun.COM>]

Here is my proposal.  Can folks please review it ASAP so we can give the 
ITU-T folks a definitive answer on this stuff?  Thanks!

	Eve

			*		*		*

There are several individual documents in the SAML V1.1
specification suite, with individual References sections:

     * Assertions and Protocol

     * Bindings and Profiles

     * Security and Privacy Considerations (all non-normative
       by virtue of the document's being non-normative)

     * Conformance Program Specification

     * Glossary (all non-normative; all definitions used from
       external sources have been reproduced here, and none of
       the sources are required for conformance)

     * Assertion Schema (its normative references are taken
       care of by the Assertions and Protocol document)

     * Protocol Schema (its normative references are taken
       care of by the Assertions and Protocol document)

For SAML V2.0, I will ensure that we divide our references into
Normative and Non-Normative sections.  For purposes of this ITU
inquiry, as well as for SAML V2.0 purposes, I suggest that we
make two assumptions:

1) The Conformance Program Specification is the entry point
    for the entire SAML specification suite as far as normatively
    referencing other parts of the suite is concerned, so that
    references from other specifications to SAML can merely
    point to SAMLConform in order to pick up the entire suite.

2) Intra-suite references that appear in each spec should be
    categorized as normative, except that references to
    Security and Privacy Considerations should be non-normative).

Following is my interpretation of the references from SAML to
external specifications that are normative.  Please give me your
recommendations and comments.


Assertions and Protocol:

Normative:
Excl-C14n (line 1583; has a SHOULD)
RFC2119 (normative for language interpretation)
RFC2396 (lines 219, 841, 867, 1148; normative for correct
interpretation of RECOMMENDED instruction on URIs)
SAML-XSD (line 173, 190, 203)
SAMLP-XSD (lines 174, 190, 206)
SAMLBind (lines 172, 293, 669; 933, 1074, 1848)
SAMLConform (line 294)
SAMLGloss (line 265)
Schema1 (lines 177, 198, 1789; need it to interpret schemas)
UNICODE-C (line 251; comparison method is a MUST)
XML (lines 217, 240, 257, 258)
XMLSig (lines 674, 1561, 1598, 1605, 1996; note not all refs
   normative)
XMLSig-XSD (lines 197, 210; imported into SAML schemas)

Non-normative:
Needham78 (line 1857; not required for conformance)
PGP (line 1877; not required for conformance)
PKIX (line 1872; not required for conformance)
RFC 1510 (line 1857; not required for conformance)
RFC 2246 (line 1868; not required for conformance)
RFC 2253 (line 1968; not required for conformance)
RFC 2630 (never referenced! oops)
RFC 2822 (line 1959; not required for conformance)
RFC 2945 (line 1861; not required for conformance)
RFC 3075 (line 1891; not required for conformance)
SAMLCore1.0 (line 1606; historical reference)
SAMLSecure (line 295)
SPKI (line 882; not required for conformance)
X.500 (line 1872; not required for conformance)
XKMS (line 1887; not required for conformance)

Unclear:
Schema2 (lines 215, 222, 507; already ref'd by Schema1)
W3C-CHAR (line 248; doc ref'd is not finished yet; ck status)
W3C-CharMod (line 253; ck status of doc)


Bindings and Profiles:

Normative:
HTML401 (lines 708, 767; needed for browser/POST)
RFC1945 (lines 454, 492; profiles depend on this or HTTP 1.1)
RFC2045 (lines 572, 723; base64 needed for browser/artifact)
RFC2119 (line 139; normative for language interpretation)
RFC2246 (line 879; Section 3.1.3.2 says mandatory to implement)
RFC2616 (lines 435, 453, 492; profiles depend on this or
   HTTP 1.0; note not all refs normative)
RFC2617 (line 288; Section 3.1.3.2 says mandatory to implement)
SAMLCore (lines, 115, 146, 147, 320, 730, 770, 842)
SAMLGloss (line 135)
SOAP1.1 (line 151, 200, 234, 240, 243, 273, 308; required
   for SOAP over HTTP binding)
SSL3 (line 879; Section 3.1.3.2 says mandatory to implement)

Non-normative:
AES (line 884; AES cipher suite not required)
Anders (line 744; just a note about JavaScript)
CoreAssnEx (line 569; in a non-normative note)
Liberty (line 376; just an example of a profile defined outside)
MSURL (line 913; ref'd in non-normative Section 8)
Rescorla-Sec (lines 598, 795; security considerations)
RFC1750 (line 595; just provides advice and definitions)
SAMLSec (line 302)
SAMLReqs (line 366; informational/historical)
SAMLWeb (line 185; non-normative registry of others' profiles)
SESSION (line 386; just an example)
ShibMarlena (lines 570, 598, 795; non-normative security
   considerations)
WEBSSO (line 385; just an example)
WSS-SAML (line 374; just an example, now obsolete)

Unclear:
RFC1738 (line 448; borrows just its terminology, but URLs
   are required for these profiles)
RFC2279 (line 904; needed for alternative artifact format)
XMLSig (lines 149, 863; required for holder of key?)


Conformance Program Specification:

Normative:
SAMLAssertion (line 134)
SAMLBind (line 133 and throughout Section 4)
SAMLCore (line 129 and throughout Section 4)
SAMLGloss (line 132)
SAMLProtocol (line 135)

Non-normative:
RFC2119 (line 113)
SAMLSec (line 130)
NIST/ITL (line 255; discussion point)
WSS-SAML (line 159; informational)

Unclear:
(none)


Philpott, Robert wrote:
...
> -----Original Message-----
> From: Karl F. Best [mailto:karl.best@oasis-open.org] 
> Sent: Friday, January 23, 2004 8:58 AM
> To: Philpott, Robert; 'Mishra, Prateek'; Hal Lockhart; Bill Parducci
> Cc: Eve L. Maler
> Subject: status of ITU submission
> 
> A status update on the ITU submission:
> 
> I think that I've got everything except for the list of normative vs. 
> non-normative references that Eve has offered to put together for SAML. 
> (Bill provided this for XACML.)
...
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com