RE: [x500standard] Re: SAML V2.0 X.500/LDAP Attribute Profile

["Kemp, David P." <DPKemp@missi.ncsc.mil>]

Scott,

The new LDAP profile "supersedes the erroneous profile in [SAML2Prof]",
and states that asserting and relying party implementations conform to
the profile if they are consistent with the normative text of section 2.
But because the profile uses a mixture of RFC 2119 requirement levels
and descriptive text, determining which text is normative is a
challenge.  For example, the NameFormat MUST be urn:...:uri, but to
construct attribute names, the URN oid namespace "is used", and the
FriendlyName attribute "plays no role" in the comparison.  Although no
reasonable person could argue with the intent of this text, experience
says that it is better to have standards resistant to attack even from
unreasonable people :-)

Could the profile mark every normative requirement with a requirement
level, e.g. "To construct attribute names, the URN oid namespace ...
MUST be used", and "The FriendlyName attribute SHOULD NOT be sent and
MUST play no role in the comparison"?  From a security perspective,
every non-validated input accepted from another party is a
vulnerability, so applications should not just accept FriendlyNames at
face value and display them.  From a usability perspective, displaying
FriendlyNames in the sender's language inhibits i18n; instead relying
applications should generate FriendlyNames in the receiver's language
from the OID.  And from an efficiency perspective, EFX schema-based
compression is impaired by both free text elements and redundant
content.

A quick scan shows new informative sentences on Tagging options in 2.3
and 2.3.1 and the Encoding attribute moved from <AttributeValue> to
<Attribute>.  Does the change in location of Encoding completely address
the problem of "well-formed but schema-invalid XML" in the original
profile, or are other changes required?

Thanks,
Dave


-----Original Message-----
From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Steven Legg
Sent: Wednesday, April 02, 2008 7:57 PM
To: x500standard@freelists.org
Cc: SG17-Q2; Abbie Barbir
Subject: [x500standard] Re: SAML V2.0 X.500/LDAP Attribute Profile


Erik,

Erik Andersen wrote:
> Hi Folks
> 
>  
> 
> OASIS is working on a X.500 attribute profile. As an X.500 group we
may 
> have comments on this work. The latest profile may be found on. If we 
> had an XLM representations of our attributes, how would they differ
from 
> the SAML 2 profile?

In early discussions I had with Bob Morgan regarding the profile's
Encoding
attribute it was intended to allow for alternative encodings. I had in
mind
BER, GSER and RXER (XML) as the alternative encodings. However,
according to
Scott Cantor (the profile editor), the scope of the current profile is
strictly
just directory attributes in their LDAP-specific encoding, hence the
only
allowed value for the Encoding attribute is "LDAP". Alternative
encodings
would have to be the subject of some future revision of the profile, or
a
separate profile.

In the current profile, an XML element that is contained in an LDAP
attribute
value must either have the markup escaped so that the value conforms to
the
xsd:string type, or the entire value must be base64 encoded so as to
conform
to the xsd:base64Binary type. In both cases the element appears as
character
data in the Infoset representation of the SAML assertion rather than
naturally
as an element information item. My thinking behind an "RXER" Encoding
value
would allow XML elements in the RXER encoding of directory attribute
values
to appear naturally as child elements of the SAML <AttributeValue>
element.

Regards,
Steven

> 
>  
> 
>
http://www.oasis-open.org/committees/download.php/27565/sstc-saml-attrib
ute-x500-cd-03.pdf
> 
>  
> 
> I noticed that Abbie is one of the editors.
> 
>  
> 
> Is there or should there be any relationship between SAML 2 and 
> X.500/LDAP (beyond X.509)? 
> 
>  
> 
>  
> 
> Erik Andersen
> 
> Andersen's L-Service
> 
> Mobile: +45 20 97 14 90
> 
> e-mail: era@x500.eu <mailto:era@x500.eu>
> 
> http://www.x500.eu <http://www.x500.eu/>
> 
> http://www.x500standard.com/
> 
>  
> 
-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.