[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [x500standard] Re: SAML V2.0 X.500/LDAP Attribute Profile
Scott, The new LDAP profile "supersedes the erroneous profile in [SAML2Prof]", and states that asserting and relying party implementations conform to the profile if they are consistent with the normative text of section 2. But because the profile uses a mixture of RFC 2119 requirement levels and descriptive text, determining which text is normative is a challenge. For example, the NameFormat MUST be urn:...:uri, but to construct attribute names, the URN oid namespace "is used", and the FriendlyName attribute "plays no role" in the comparison. Although no reasonable person could argue with the intent of this text, experience says that it is better to have standards resistant to attack even from unreasonable people :-) Could the profile mark every normative requirement with a requirement level, e.g. "To construct attribute names, the URN oid namespace ... MUST be used", and "The FriendlyName attribute SHOULD NOT be sent and MUST play no role in the comparison"? From a security perspective, every non-validated input accepted from another party is a vulnerability, so applications should not just accept FriendlyNames at face value and display them. From a usability perspective, displaying FriendlyNames in the sender's language inhibits i18n; instead relying applications should generate FriendlyNames in the receiver's language from the OID. And from an efficiency perspective, EFX schema-based compression is impaired by both free text elements and redundant content. A quick scan shows new informative sentences on Tagging options in 2.3 and 2.3.1 and the Encoding attribute moved from <AttributeValue> to <Attribute>. Does the change in location of Encoding completely address the problem of "well-formed but schema-invalid XML" in the original profile, or are other changes required? Thanks, Dave -----Original Message----- From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of Steven Legg Sent: Wednesday, April 02, 2008 7:57 PM To: firstname.lastname@example.org Cc: SG17-Q2; Abbie Barbir Subject: [x500standard] Re: SAML V2.0 X.500/LDAP Attribute Profile Erik, Erik Andersen wrote: > Hi Folks > > > > OASIS is working on a X.500 attribute profile. As an X.500 group we may > have comments on this work. The latest profile may be found on. If we > had an XLM representations of our attributes, how would they differ from > the SAML 2 profile? In early discussions I had with Bob Morgan regarding the profile's Encoding attribute it was intended to allow for alternative encodings. I had in mind BER, GSER and RXER (XML) as the alternative encodings. However, according to Scott Cantor (the profile editor), the scope of the current profile is strictly just directory attributes in their LDAP-specific encoding, hence the only allowed value for the Encoding attribute is "LDAP". Alternative encodings would have to be the subject of some future revision of the profile, or a separate profile. In the current profile, an XML element that is contained in an LDAP attribute value must either have the markup escaped so that the value conforms to the xsd:string type, or the entire value must be base64 encoded so as to conform to the xsd:base64Binary type. In both cases the element appears as character data in the Infoset representation of the SAML assertion rather than naturally as an element information item. My thinking behind an "RXER" Encoding value would allow XML elements in the RXER encoding of directory attribute values to appear naturally as child elements of the SAML <AttributeValue> element. Regards, Steven > > > > http://www.oasis-open.org/committees/download.php/27565/sstc-saml-attrib ute-x500-cd-03.pdf > > > > I noticed that Abbie is one of the editors. > > > > Is there or should there be any relationship between SAML 2 and > X.500/LDAP (beyond X.509)? > > > > > > Erik Andersen > > Andersen's L-Service > > Mobile: +45 20 97 14 90 > > e-mail: email@example.com <mailto:firstname.lastname@example.org> > > http://www.x500.eu <http://www.x500.eu/> > > http://www.x500standard.com/ > > > ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.