Re: [security-services] FW: <NameID> element usage in the SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems

["Tom Scavo" <trscavo@gmail.com>]

The history and statement of the problem below is 100% correct.  FWIW,
this issue has been resolved in the SAML V2.0 Deployment Profiles for
X.509 Subjects (sstc-saml2-profiles-deploy-x509-draft-01), the
document that grew out of draft 11
(sstc-saml2-profiles-x509-draft-11).  The former represents a
completely new document stream, however, so I'm not sure it is
relevant.  I mention it here for completeness.

Tom Scavo
NCSA/University of Illinois

On 12/13/06, Philpott, Robert <rphilpott@rsasecurity.com> wrote:
>
> Sending on behalf of Mike Merrill (currently a TC observer):
>
> -----------------------------------------------
>
> When the "SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based
> Systems" document moved from draft 10
> (sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11
> (sstc-saml2-profiles-x509-draft-11), the document was
> renamed and drastically reorganized.  If I recall correctly, some committee
> members took exception to the extensive rewrite of the profile between
> drafts 10 and 11, which led to the withdrawal of the new draft.  Since then,
> no new draft of the profile has been submitted.
>
>
>
> The problem is that at least one usage issue was (I believe) correctly
> resolved in draft 11 but is now lost due to the withdrawal of that draft.
>
>
>
> Section 3.2.1 of draft 10 ("<AttributeQuery> Usage") outlines rules that an
> <AttributeQuery> element MUST conform to.  The third rule listed says:
>
>
>
> "The <NameID> element SHOULD have a NameQualifier attribute whose value is
> the Issuer DN from the principal's X.509 certificate.  The format of this DN
> SHOULD also comply with [RFC2253]."
>
>
>
> As I recall, there was some discussion on the mailing list about whether or
> not this conflicted with the guidance given in section 2.2.2 of the
> "Assertions and Protocols for the OASIS Security Assertion Markup Language
> (SAML) V2.0" document (saml-core-2.0-os) which states that:
>
>
>
> "The NameQualifier and SPNameQualifier attributes SHOULD be omitted unless
> the element or format explicitly defines their use and semantics."
>
>
>
> The X.509 Subject Name format applicable here and defined in section 8.3.3
> of the previously mentioned document does not explicitly define the use of
> the NameQualifier or SPNameQualifier attributes.  The mailing list came to
> the conclusion that the "<AttributeQuery> Usage" section in draft 10 should
> be revised to indicate that the <NameID> element should not specify a
> NameQualifier.
>
>
>
> The recommendation was followed in section 2.3.1 ("<saml:NameID> Usage") of
> draft 11, where the third rule says:
>
>
>
>             "As specified in [SAMLCore], the NameQualifier attribute of the
> <saml:NameID> element SHOULD be omitted."
>
>
>
> So, as an implementer of the profile defined in these documents, I've been
> wondering if a new draft has been planned that will correct this issue (and
> any others that I may not be aware of) that had already been corrected in
> the withdrawn draft 11.  Does anybody have any insight into this?
>
>
>
> Thank you in advance.
>
>
>
> Mike Merrill
>
> Principal Software Engineer
>
> (781) 515-7094
>
> mmerrill@rsasecurity.com
>
>
>
> RSA, The Security Division of EMC
>
>