Re: Attribute Sharing Profile for X.509 Authentication-Based Systems (Draft-12)

["Tom Scavo" <trscavo@gmail.com>]

On 3/25/07, Tom Scavo <trscavo@gmail.com> wrote:
> Draft-12 of the Attribute Sharing Profile has been uploaded to the archive:
>
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/23148/sstc-saml-x509-authn-attrib-profile-draft-12.odt
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/23149/sstc-saml-x509-authn-attrib-profile-draft-12.pdf
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/23150/sstc-saml-x509-authn-attrib-profile-draft-12-diff.pdf
>
> There are still two "bugs" that I can see:
>
> 1. The <saml:Audience> requirement on lines 191--192 can only be met
> if the SP authenticates to the IdP, but the security characteristics
> of Basic Mode are mostly inherited from the Attribute Query/Request
> Profile, which does not mandate authenticated queries.

Okay, consensus on the call was that the IdP puts whatever identifier
the SP provides into the <saml:Audience>.  That's fine.

> 2. The metadata requirements in section 3.4 stipulate that if SAML
> metadata is used, query:AttributeQueryDescriptorType SHOULD be used,
> but since this type is the only such type available for use, it seems
> the normative language is too weak in this case.

I'm still not clear on how best to reword this.  Scott, would you mind
taking a crack at this?  Here's how it stands now:

---------------------
The service provider and identity provider MAY use metadata in support
of this deployment profile for locating endpoints, communicating key
information, and so on. If SAML V2.0 metadata is used, the
<md:AttributeAuthorityDescriptor> element defined by the SAML metadata
specification [SAMLMeta] and the query:AttributeQueryDescriptorType
complex type defined by the SAML metadata extension specification
[SAMLMeta-Ext] SHOULD be used with this deployment profile.
---------------------

Thanks,
Tom