[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] FW: <NameID> element usage in the SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems
The history and statement of the problem below is 100% correct. FWIW, this issue has been resolved in the SAML V2.0 Deployment Profiles for X.509 Subjects (sstc-saml2-profiles-deploy-x509-draft-01), the document that grew out of draft 11 (sstc-saml2-profiles-x509-draft-11). The former represents a completely new document stream, however, so I'm not sure it is relevant. I mention it here for completeness. Tom Scavo NCSA/University of Illinois On 12/13/06, Philpott, Robert <rphilpott@rsasecurity.com> wrote: > > Sending on behalf of Mike Merrill (currently a TC observer): > > ----------------------------------------------- > > When the "SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based > Systems" document moved from draft 10 > (sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11 > (sstc-saml2-profiles-x509-draft-11), the document was > renamed and drastically reorganized. If I recall correctly, some committee > members took exception to the extensive rewrite of the profile between > drafts 10 and 11, which led to the withdrawal of the new draft. Since then, > no new draft of the profile has been submitted. > > > > The problem is that at least one usage issue was (I believe) correctly > resolved in draft 11 but is now lost due to the withdrawal of that draft. > > > > Section 3.2.1 of draft 10 ("<AttributeQuery> Usage") outlines rules that an > <AttributeQuery> element MUST conform to. The third rule listed says: > > > > "The <NameID> element SHOULD have a NameQualifier attribute whose value is > the Issuer DN from the principal's X.509 certificate. The format of this DN > SHOULD also comply with [RFC2253]." > > > > As I recall, there was some discussion on the mailing list about whether or > not this conflicted with the guidance given in section 2.2.2 of the > "Assertions and Protocols for the OASIS Security Assertion Markup Language > (SAML) V2.0" document (saml-core-2.0-os) which states that: > > > > "The NameQualifier and SPNameQualifier attributes SHOULD be omitted unless > the element or format explicitly defines their use and semantics." > > > > The X.509 Subject Name format applicable here and defined in section 8.3.3 > of the previously mentioned document does not explicitly define the use of > the NameQualifier or SPNameQualifier attributes. The mailing list came to > the conclusion that the "<AttributeQuery> Usage" section in draft 10 should > be revised to indicate that the <NameID> element should not specify a > NameQualifier. > > > > The recommendation was followed in section 2.3.1 ("<saml:NameID> Usage") of > draft 11, where the third rule says: > > > > "As specified in [SAMLCore], the NameQualifier attribute of the > <saml:NameID> element SHOULD be omitted." > > > > So, as an implementer of the profile defined in these documents, I've been > wondering if a new draft has been planned that will correct this issue (and > any others that I may not be aware of) that had already been corrected in > the withdrawn draft 11. Does anybody have any insight into this? > > > > Thank you in advance. > > > > Mike Merrill > > Principal Software Engineer > > (781) 515-7094 > > mmerrill@rsasecurity.com > > > > RSA, The Security Division of EMC > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]