Thanks for your comments, Markus. The resolutions taken to them are as follows:
Comment #1 – issue
We made the proposed correction. See
for a corrected version.
Comment #2 – issue
The consensus during 4/15 call was that the existing text mentions proxies and is sufficient to explain the problem. No change
Comment #3 – issue
The particular usage mentioned is the KeyIdentifier ValueType to be used, which should be handled per the WS-Security SAML Token Profile (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SAMLTokenProfile.pdf)
Per that profile, in section 3.4, the ValueType constants for KeyIdentifier are:
Other constants may be applicable in other spots, for example the wsse11:TokenType in an STR. All these constants are orthogonal to the token type being referenced at the WS-Trust exchange layer, which is the only usage we're dealing with in the IMI token profiles.
The consensus during 4/15 call was that no change to the profiles is needed.
Comment #4 – issue
While this may be a good suggestion, it's not relevant to the token profiles but could be raised against the IMI standard itself
as a suggested change. No change was made to the profiles.
From: Markus Sabadello [mailto:firstname.lastname@example.org]
Sent: Thursday, April 08, 2010 1:12 PM
Subject: [imi-comment] Re: comments on SAML V2.0 Information Card Token Profile Version 1.0
It seems that with every new token profile that gets added to IMI, all already existing cards need to be reissued, because the supported token types are listed in the .crd file. Maybe it would be better to remove SupportedTokenTypeList from the .crd files and
instead let selectors ask the Metadata endpoint. This way STSes can over time add support for new token types even for already existing cards.
On Thu, Apr 8, 2010 at 12:10 AM, Markus Sabadello <email@example.com> wrote:
It seems the examples in 2.7.1 and 2.7.2 are bugged, because the attributes Address and NotOnOrAfter are put on a SubjectConfirmation element rather than on a SubjectConfirmationDataType element.
Section 2.6.1 discusses the use of the Address attribute.
"While moderately effective, this practice often proves impractical for services offered to large user populations, many of whom are likely to encounter proxies and network configurations that result in inability to satisfy the restriction"
Just wanted to add as an observation that this is also impractical in situations where a selector relies on a cloud-based service for talking to the STS.
E.g. the iPhone I-Card Selector works like that, therefore the IP address seen by the STS is always different from the IP of the selector.
RSTRs typically contain something like this to reference the issued security token:
What ValueType should STS implementers use when adopting the recent SAML1.1 and SAML2.0 token profiles? Is this ValueType the same as the wst:TokenType in the RST?