wss message

Subject: [no subject]
  _____  

From: Anthony Nadalin [mailto:drsecure@us.ibm.com] 
Sent: Monday, June 21, 2004 2:39 PM
To: wss@lists.oasis-open.org
Subject: [wss] Comments on SAML Token Profile



We ran into some inconsistencies while participating in the recent SAML
interop. The WSS core specification describes a "Direct Reference" mechanism
to be used with STRs. A Reference element with a URI attribute is used. When
the referenced token is located within the Security header, the URI contains
a shorthand XPointer reference to the token. In order for this to work, the
token element must contain an attribute of type ID. WSS defines the wsu:Id
attribute with type ID for naming the reference. Direct references within
the message should not require token specific methods so we suggest the
following actions be taken:

1) Errata to the WSS core to make it clear the tokens must have an attribute
named wsu:Id.
2) Change to the SAML Token Profile to use an wsu:Id attribute or use a
wsse:KeyIdentifier

Anthony Nadalin | work 512.838.0085 | cell 512.289.4122


------_=_NextPart_001_01C4585F.13779455
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">


<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I have reviewed this comment and I think it =
may be an=20
overly restrictive</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>interpretation of the intended usage of the =
URI attribute=20
described in the</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>WS-Security core spec, section 7.2, lines =
699-701.=20
</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><A=20
href=3D"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-mes=
sage-security-1.0.pdf">http://docs.oasis-open.org/wss/2004/01/oasis-2004=
01-wss-soap-message-security-1.0.pdf</A></FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>In particular, the ValueType attribute (lines =
702-708)=20
appears to&nbsp;be intended</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>to provide token-specific processing rules to =
be applied in=20
conjunction with</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>the URI attribute. In the case of SAML 1.1 =
assertions, the=20
SAML ValueType</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>indicates that the saml:AssertionID should be =
treated as an=20
XML ID type </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>attribute. As described in section 4.2 lines =
418-425, this=20
may be done</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>without requiring XML schema=20
validation.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I have also looked at the REL Token Profile =
specification=20
that has been</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>approved by the TC and this appears to suggest =
using this=20
same mechanism</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>with direct references in Table 2 (section 3.4 =
line 150)=20
and shows this mechanism</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>used in the example in section 3.5.1 lines =
308-309,=20
336-342,&nbsp; and again in</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>the example in section 3.6.1 lines 404-405, =
423-425=20
(although the ValueType</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>appears to have been left out in this 2nd=20
example).</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><A=20
href=3D"http://www.oasis-open.org/apps/org/workgroup/wss/download.php/73=
47/oasis-____-wss-REL-token-profile-1.0-draft08-clean.pdf">http://www.oa=
sis-open.org/apps/org/workgroup/wss/download.php/7347/oasis-____-wss-REL=
-token-profile-1.0-draft08-clean.pdf</A>&nbsp;,</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>From my reading of these documents plus the =
use of the STR=20
mechanism</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>in scenario 3 of the SAML Interop, which is =
compliant with=20
the recommended</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>usage in the SAML Token Profile (Section 3.3.1 =
lines=20
318-319, lines 326-331)</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2><A=20
href=3D"http://www.oasis-open.org/apps/org/workgroup/wss/download.php/68=
77/WSS-SAML-11.pdf">http://www.oasis-open.org/apps/org/workgroup/wss/dow=
nload.php/6877/WSS-SAML-11.pdf</A></FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>it appears that both the SAML and REL authors =
and interop=20
</FONT></SPAN><SPAN class=3D317161113-22062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>participants have </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>interpreted the usage of ValueType and URI in=20
the&nbsp;</FONT></SPAN><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>STR element to allow for the =
</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>token (license or assertion) having its own =
ID-type=20
attribute.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN =
class=3D317161113-22062004>&nbsp;&nbsp;&nbsp; <FONT=20
face=3DArial color=3D#0000ff size=3D2>Rich Levinson</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN =
class=3D317161113-22062004>&nbsp;&nbsp;&nbsp; <FONT=20
face=3DArial color=3D#0000ff size=3D2>Netegrity</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D317161113-22062004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Anthony Nadalin=20
[mailto:drsecure@us.ibm.com] <BR><B>Sent:</B> Monday, June 21, 2004 =
2:39=20
PM<BR><B>To:</B> wss@lists.oasis-open.org<BR><B>Subject:</B> [wss] =
Comments on=20
SAML Token Profile<BR></FONT><BR></DIV>
<DIV></DIV>
<P>We ran into some inconsistencies while participating in the recent =
SAML=20
interop. The WSS core specification describes a "Direct Reference" =
mechanism to=20
be used with STRs. A Reference element with a URI attribute is used. =
When the=20
referenced token is located within the Security header, the URI =
contains a=20
shorthand XPointer reference to the token. In order for this to work, =
the token=20
element must contain an attribute of type ID. WSS defines the wsu:Id =
attribute=20
with type ID for naming the reference. Direct references within the =
message=20
should not require token specific methods so we suggest the following =
actions be=20
taken:<BR><BR>1) Errata to the WSS core to make it clear the tokens =
must have an=20
attribute named wsu:Id.<BR>2) Change to the SAML Token Profile to use =
an wsu:Id=20
attribute or use a wsse:KeyIdentifier<BR><BR>Anthony Nadalin | work =
512.838.0085=20
| cell 512.289.4122</P></BODY></HTML>

------_=_NextPart_001_01C4585F.13779455--