OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02

Document: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02


[page 2, line 6] Replace "X.509v3" with "X.509v3 [RFC3280]" and add
the reference to section 2.

[page 2, line 8] Replace
"urn:oasis:names:tc:SAML:2.0:profiles:x509authattributesharing" with
"urn:oasis:names:tc:SAML:2.0:profiles:query:X509SubjectName". The URI
of section 6 of [SAMLProf] is a prefix of the latter.

[page 2, line 16] Replace "Attribute Query/Response Profile" with
"Assertion Query/Request Profile", which is what it's called in
[SAMLProf].  Remove the parenthetic comment.

[page 2, line 21] Replace "i.e." with "i.e.,".

[page 2, line 22] Replace "certificate and not a SAML assertion" with
"certificate, not a SAML assertion".

[page 2, line 24] Replace "Even after" with "After".

[page 2, lines 27--29] Replace the last sentence of section 1.2.1 with
"When the identity provider returns the relevant attributes, the
service provider is able to make an informed access control decision."

[page 2, line 32] Replace the hyphen with an em-dash.

[page 3, line 1] Replace "User" with "Principal" in the box.

[page 3, line 1] Number all arrows in the diagram.

[page 3, line 4] Replace "HTTP User Agent, makes an HTTP request" with
"HTTP user agent, makes a request".

[page 3, lines 13--14] Replace "over the" with "using a".

[page 3, line 15--17] Add normative language to the last sentence in
this paragraph and move the sentence to a subsequent section.

[page 3, line 22] Replace "for" with "pertaining to".

[page 3, line 23] Add normative language to this sentence and move it
to a subsequent section.

[page 4, line 1] Replace "response" with "the response" and move this
sentence to a subsequent section.

[page 4, line 5] Replace "themselves" with "itself" and move this
sentence to a subsequent section.

[page 4, lines 12--14] Replace this sentence with "Based on the
results of steps 5 and 6, the service returns the requested resource
or returns an error."

[page 4, line 15, 17] Remove this blank line.

[page 4, line 33] Replace "the [Attribute Request/Response Profile]"
with "section 6 of [SAMLProf]".

[page 4, lines 34--35] Move this sentence to section 1.3.

[page 4, line 37] Insert a space before "MUST".

[page 4, line 39] A section number is apparently missing.

[page 5, lines 6--7] This sentence is redundant.

[page 5, line 18] Replace "mean" with "means".

[page 5, line 22] Replace "issue" with "Issue".

[page 5, line 24] Replace "the [Attribute Request/Response Profile]"
with "section 6 of [SAMLProf]".

[page 5, lines 25--26] This sentence is redundant.

[page 5, line 29] Insert a comma after "successful".

[page 5, line 31, 32] The word "element" is set in the wrong font.

[page 5, line 32] Replace "<EncryptedAssertion>" with
"<EncryptedAssertion> element".

[page 5, line 35] Replace "<SubjectConfirmation>" with
"<SubjectConfirmation> element".

[page 5, line 35] Replace the second occurrence of "'holder-of-key'"
with "'holder-of-key' is used".

[page 5, line 37] Replace "themselves" with "itself".

[page 5, line 40] What does "It" refer to?

[page 5, line 40] This bulleted item should be the first bulleted item
in the list.

[page 6, lines 11--12] This sentence is redundant.

[page 6, lines 21--28] All of the angle brackets are set in the wrong font.

[page 6, line 29] Delete this blank line.

[page 6, line 35, 37] Replace "Identity Providers" with "identity providers".

[page 7, line 6] Delete this blank line.

[page 8, line 7] Replace "[SAMLProfiles]" with "[SAMLProf]".


- Insert the usual section 1 (Introduction) and section 1.1
(Notation).  In particular, all prefixes should be defined in section

- All XML elements should be prefixed for clarity.

- The introductory paragraph [page 2, lines 3--6] should reference
section 6 of [SAMLProf], which itself references [SAMLCore] and

- Section 1.2.1, which contains introductory material, does not belong
with the rest of the content in section 1.

- Define "service provider" in section 1.2.1.  (Evidently this is not
the "service provider" of the browser profiles.)

- In section 1.2.1, instead of saying "This is configured outside of
SAML", suggest (and later show how to use) SAML 2.0 metadata.

- In section 1.3, discuss the <saml:NameIdentifier> element alluded to
on [page 3, lines 14--15].

- In the diagram on page 3 (and in the corresponding text), I think
you can safely omit the steps "Request Authentication" and
"Authentication", and assume that authentication occurs at step 1 in
conjunction with the initial request.  Since the profile focuses on
the attribute exchange, such a simplification is particularly

- In the sequence of steps on pages 3--4, remove any normative
language from the steps not covered by this profile, that is, any step
except steps 4 and 5.

- Instead of a "service provider configuration setting" on line 19 of
page 3, why not recommend using SAML 2.0 metadata?

- In section 1.3, the security requirements seem overspecified. 
Wouldn't it be better to specify the requirements in more general
terms (bilateral authentication, integrity, confidentiality) and leave
the details as a deployment decision.  You can make recommendations of
course in section 1.4.

- In section 1.3, why must the attributes be encrypted if integrity
and confidentiality are assured by other means (such as SSl/TLS)?

- In section 1.3.1 [line 32], did you intend to reference an assertion
in the query or is this a typo?

- On line 8 [page 5], is the symmetric key established out of band?

- On lines 8--15 [page 5], I think you're making some unreasonable
assumptions on behalf of the reader.  You should define the xenc:
prefix (in an introductory section) and give a reference to [XMLEnc].

- The opening sentence to section refers to standard SAML
protocol, does it not?

- On lines 38--39 [page 5], you're assuming the IdP has access to the
certificate (which is not generally true).

- On line 2 [page 5], shouldn't the response be signed instead of the
assertion?  Same comment applies to lines 13--14.

- In section 2, update the references to the most recent versions of
the SAML 2.0 docs.  Add [RFC3280] and [XMLEnc].

- How are you dealing with the IdP Discovery problem?

- Throughout the document, an attempt should be made to separate the
detailed security considerations from the general description of the
profile.  Why not add a section entitled "Security and Privacy

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]