OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] LDAP Attribute Profile (saml-profiles-saml2.0)



On Jan 17, 2006, at 3:33 AM, RL 'Bob' Morgan wrote:

>
> On Mon, 16 Jan 2006, Greg Whitehead wrote:
>
>> 2) The ONLY clue we have that the AttributeValue is encoded using  
>> the X500/LDAP profile is an attribute in the profile namespace  
>> (x500:Encoding). Unless we know to look for that attribute, or we  
>> search for all attributes that we don't understand and throw up  
>> our hands if any are found, there is NO way to know what crazy  
>> encoding rules have been applied to the AttributeValue (such as  
>> ASN.1 octet string wrappers).
>
> Hmm, the point of the ldapprof:Encoding="LDAP" XML attribute isn't  
> to call out the use of the X.500/LDAP profile as a whole, it's to  
> indicate that, in that profile, the LDAP-specific encoding is being  
> used, rather than any other possible encodings, none of which have  
> been defined yet (but possibilities might include X.500 and RXER  
> some day).  If we had decided not to leave the door open for those  
> other encodings, but said this profile is only LDAP forever, there  
> would have been no Encoding XML attribute at all.

Ok, so unlike the Basic profile, where we have a profile-specific  
NameFormat, with the X.500/LDAP profile we're not flagging the use of  
the profile in-band (unless you count recognizing particular OIDs as  
being X.500/LDAP attributes). Instead, a deployment would need to  
configure each OID that it "knows" to use the X.500/LDAP profile for  
encoding/decoding.

This works, but it probably deserves some mention in errata.

> So I think the point is that by using as a SAML attribute Name an  
> OID that is defined as an X.500/LDAP attribute type, you're using  
> the X.500/LDAP profile, like it or not.  So it's like Scott said  
> about LDAP:  the format is determined by the attribute name, which  
> should be clear, no?

Right. Of course, I can define my own OIDs and then those would have  
to be communicated out-of-band to my peers and configured accordingly  
before they could be processed.

> I suppose someone could come along and add a myFormat="Klingon" XML  
> attribute to the AttributeValue element of any SAML Attribute in  
> hopes it would affect the processing.  Should SAML attribute  
> profiles have language specifically precluding this?  Seems like  
> trying to specify common sense.

Well, my point was that this is how the x500:Encoding="LDAP" XML  
attribute looked to me... but then I was looking for some way to  
detect the X.500/LDAP profile in-band. If you say that it can't be  
detected in-band (for any OID) then that's fine.

-Greg

>
>  - RL "Bob"
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]