OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: comments: sstc-saml-metadata-ext-query-cd-01


Document identifier: sstc-saml-metadata-ext-query-cd-01

Scott asked me to accumulate all my comments re this document in one place.

Errata:

[line 46] s/SAML V2.0/SAML V2.0 query requesters/

[line 66] s/SAML V2.0 metadata query extension/SAML metadata query extension/

[line 66] The sentence "In schema listings, this is the default
namespace and no prefix is shown" contradicts the sentence on line 80.
 Perhaps the former should be deleted.

[line 69] s/Query Metadata Extensions for SAML V2.0/Query Metadata Extensions/

[line 71] s/,/:/

[line 79] The namespace prefix "query:" seems less descriptive than it
could be (maybe even misleading).  How about "mdquery:" or "querymd:"?

[line 116, 138, 160] s/See for/See the SAML V1.x metadata profile
[SAML1xMeta] for/

[line 242] s/SAML metadata extension schema/SAML Metadata Extension
Schema for Query Requester/

[lines 243--244]
s^http://www.oasis-open.org/committees/security/^http://www.oasis-open.org/committees/download.php/18062/sstc-saml-metadata-ext-query.xsd^

[lines 247] s^http://www.oasis-open.org/committees/security/^http://www.oasis-open.org/committees/download.php/18048/sstc-saml1x-metadata.xsd^

[lines 256--257]
s^http://www.oasis-open.org/committees/download.php/11903/saml-2.0-os-xsd.zip^http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd^

[lines 257--258]
s^http://www.w3.org/TR/xmlschema-1/^http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/^

Comments:

[line 10] I was an employee at NCSA at the time this document was
written, so this line should read:
Tom Scavo (tscavo@ncsa.uiuc.edu), NCSA/University of Illinois

[line 66] Suggested modifications to the table between lines 65--66:
s/assertion namespace [SAML2Core]/assertion namespace defined in the
SAML V2.0 core specification [SAML2Core]/
s/metadata namespace [SAML2Core]/metadata namespace defined in the
SAML V2.0 metadata specification [SAML2Meta]/
s/metadata query extension namespace,/metadata query extension namespace/

[line 116, 138, 160] These lines refer to the SAML V1.x Metadata
Profile, which does not apply, however, since any type derived from
md:RoleDescriptorType is undefined. Thus these types are not profiled
for use with SAML 1.x metadata.  This is a serious omission.

[line 155] Because of the contradiction on lines 66 and 80, the
namespace associated with the ActionNamespace element is not
immediately evident to the reader.  Upon further and careful reading,
this becomes clear, but wouldn't it be better to prefix the element
name with the "query:" prefix and be explicit about it?

[lines 204--218] The two RequestedAttribute elements in this example
denote the same attribute and attribute value (using alternate
notation that is irrelevant to this profile).  I suggest rewriting the
elements as follows:

<md:RequestedAttribute
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">
  FriendlyName="eduPersonScopedAffiliation">
</md:RequestedAttribute>
<md:RequestedAttribute
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
  FriendlyName="eduPersonEntitlement">
  <saml:AttributeValue xsi:type="xsd:anyURI">
    https://gs.org/gridshib/entitlements/123456789
  </saml:AttributeValue>
</md:RequestedAttribute>

[line 242] The referenced schema document does not explicitly list an
author, so the author listed in the References is apparently in error.
 Do the schema author(s) mirror the profile author(s) in this case?
(N.B. I was the original author of the schema document in question,
per Scott's suggestion.)

[line 255] Again, the referenced schema document does not explicitly
list an author, so the author listed in the References seems to be in
error.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]