OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: comments: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02


Additional comments:

- Change the title to "SAML Attribute Sharing Profile for X.509
Authentication-based Systems", which emphasizes the fact that this
profile is primarily about attribute sharing, not X.509
authentication.

- Emphasize the profile's roots in the Assertion Query/Request Profile
specified in section 6 of [SAMLProf].  Build from that existing
profile; in particular, choose a URI identifier having prefix
urn:oasis:names:tc:SAML:2.0:profiles:query
An example is given below.  Another example is:
urn:oasis:names:tc:SAML:2.0:profiles:query:attributes:X509

- Specify the details of the <samlp:AttributeQuery> element. In
particular, specify the attributes and value of the <saml:NameID>
element (formerly <saml:NameIdentifier>).

- Recommend SAML metadata instead of ad hoc configuration files.

- Try to make the profile as generic as possible, leaving
deployment-specific details to the implementer.

The GridShib project hopes to leverage your work by adding our own
SAML 1.1 attribute sharing profile on top of yours.  Thank you for
contributing this important piece of work.

Tom Scavo
http://grid.ncsa.uiuc.edu/GridShib/


On Thu, 10 Mar 2005 21:51:26 -0500, Tom Scavo <trscavo@gmail.com> wrote:
> Document: sstc-saml-x509-authn-based-attribute-protocol-2.0-draft-02
> 
> Errata:
> 
> [page 2, line 6] Replace "X.509v3" with "X.509v3 [RFC3280]" and add
> the reference to section 2.
> 
> [page 2, line 8] Replace
> "urn:oasis:names:tc:SAML:2.0:profiles:x509authattributesharing" with
> "urn:oasis:names:tc:SAML:2.0:profiles:query:X509SubjectName". The URI
> of section 6 of [SAMLProf] is a prefix of the latter.
> 
> [page 2, line 16] Replace "Attribute Query/Response Profile" with
> "Assertion Query/Request Profile", which is what it's called in
> [SAMLProf].  Remove the parenthetic comment.
> 
> [page 2, line 21] Replace "i.e." with "i.e.,".
> 
> [page 2, line 22] Replace "certificate and not a SAML assertion" with
> "certificate, not a SAML assertion".
> 
> [page 2, line 24] Replace "Even after" with "After".
> 
> [page 2, lines 27--29] Replace the last sentence of section 1.2.1 with
> "When the identity provider returns the relevant attributes, the
> service provider is able to make an informed access control decision."
> 
> [page 2, line 32] Replace the hyphen with an em-dash.
> 
> [page 3, line 1] Replace "User" with "Principal" in the box.
> 
> [page 3, line 1] Number all arrows in the diagram.
> 
> [page 3, line 4] Replace "HTTP User Agent, makes an HTTP request" with
> "HTTP user agent, makes a request".
> 
> [page 3, lines 13--14] Replace "over the" with "using a".
> 
> [page 3, line 15--17] Add normative language to the last sentence in
> this paragraph and move the sentence to a subsequent section.
> 
> [page 3, line 22] Replace "for" with "pertaining to".
> 
> [page 3, line 23] Add normative language to this sentence and move it
> to a subsequent section.
> 
> [page 4, line 1] Replace "response" with "the response" and move this
> sentence to a subsequent section.
> 
> [page 4, line 5] Replace "themselves" with "itself" and move this
> sentence to a subsequent section.
> 
> [page 4, lines 12--14] Replace this sentence with "Based on the
> results of steps 5 and 6, the service returns the requested resource
> or returns an error."
> 
> [page 4, line 15, 17] Remove this blank line.
> 
> [page 4, line 33] Replace "the [Attribute Request/Response Profile]"
> with "section 6 of [SAMLProf]".
> 
> [page 4, lines 34--35] Move this sentence to section 1.3.
> 
> [page 4, line 37] Insert a space before "MUST".
> 
> [page 4, line 39] A section number is apparently missing.
> 
> [page 5, lines 6--7] This sentence is redundant.
> 
> [page 5, line 18] Replace "mean" with "means".
> 
> [page 5, line 22] Replace "issue" with "Issue".
> 
> [page 5, line 24] Replace "the [Attribute Request/Response Profile]"
> with "section 6 of [SAMLProf]".
> 
> [page 5, lines 25--26] This sentence is redundant.
> 
> [page 5, line 29] Insert a comma after "successful".
> 
> [page 5, line 31, 32] The word "element" is set in the wrong font.
> 
> [page 5, line 32] Replace "<EncryptedAssertion>" with
> "<EncryptedAssertion> element".
> 
> [page 5, line 35] Replace "<SubjectConfirmation>" with
> "<SubjectConfirmation> element".
> 
> [page 5, line 35] Replace the second occurrence of "'holder-of-key'"
> with "'holder-of-key' is used".
> 
> [page 5, line 37] Replace "themselves" with "itself".
> 
> [page 5, line 40] What does "It" refer to?
> 
> [page 5, line 40] This bulleted item should be the first bulleted item
> in the list.
> 
> [page 6, lines 11--12] This sentence is redundant.
> 
> [page 6, lines 21--28] All of the angle brackets are set in the wrong font.
> 
> [page 6, line 29] Delete this blank line.
> 
> [page 6, line 35, 37] Replace "Identity Providers" with "identity providers".
> 
> [page 7, line 6] Delete this blank line.
> 
> [page 8, line 7] Replace "[SAMLProfiles]" with "[SAMLProf]".
> 
> Comments:
> 
> - Insert the usual section 1 (Introduction) and section 1.1
> (Notation).  In particular, all prefixes should be defined in section
> 1.1.
> 
> - All XML elements should be prefixed for clarity.
> 
> - The introductory paragraph [page 2, lines 3--6] should reference
> section 6 of [SAMLProf], which itself references [SAMLCore] and
> [SAMLBind].
> 
> - Section 1.2.1, which contains introductory material, does not belong
> with the rest of the content in section 1.
> 
> - Define "service provider" in section 1.2.1.  (Evidently this is not
> the "service provider" of the browser profiles.)
> 
> - In section 1.2.1, instead of saying "This is configured outside of
> SAML", suggest (and later show how to use) SAML 2.0 metadata.
> 
> - In section 1.3, discuss the <saml:NameIdentifier> element alluded to
> on [page 3, lines 14--15].
> 
> - In the diagram on page 3 (and in the corresponding text), I think
> you can safely omit the steps "Request Authentication" and
> "Authentication", and assume that authentication occurs at step 1 in
> conjunction with the initial request.  Since the profile focuses on
> the attribute exchange, such a simplification is particularly
> appealing.
> 
> - In the sequence of steps on pages 3--4, remove any normative
> language from the steps not covered by this profile, that is, any step
> except steps 4 and 5.
> 
> - Instead of a "service provider configuration setting" on line 19 of
> page 3, why not recommend using SAML 2.0 metadata?
> 
> - In section 1.3, the security requirements seem overspecified.
> Wouldn't it be better to specify the requirements in more general
> terms (bilateral authentication, integrity, confidentiality) and leave
> the details as a deployment decision.  You can make recommendations of
> course in section 1.4.
> 
> - In section 1.3, why must the attributes be encrypted if integrity
> and confidentiality are assured by other means (such as SSl/TLS)?
> 
> - In section 1.3.1 [line 32], did you intend to reference an assertion
> in the query or is this a typo?
> 
> - On line 8 [page 5], is the symmetric key established out of band?
> 
> - On lines 8--15 [page 5], I think you're making some unreasonable
> assumptions on behalf of the reader.  You should define the xenc:
> prefix (in an introductory section) and give a reference to [XMLEnc].
> 
> - The opening sentence to section 1.3.2.1 refers to standard SAML
> protocol, does it not?
> 
> - On lines 38--39 [page 5], you're assuming the IdP has access to the
> certificate (which is not generally true).
> 
> - On line 2 [page 5], shouldn't the response be signed instead of the
> assertion?  Same comment applies to lines 13--14.
> 
> - In section 2, update the references to the most recent versions of
> the SAML 2.0 docs.  Add [RFC3280] and [XMLEnc].
> 
> - How are you dealing with the IdP Discovery problem?
> 
> - Throughout the document, an attempt should be made to separate the
> detailed security considerations from the general description of the
> profile.  Why not add a section entitled "Security and Privacy
> Considerations".
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]