OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Public Comment

Comment from: tscavo@ncsa.uiuc.edu

Name: Tom Scavo
Title: Research Programmer
Organization: National Center for Supercomputing Applications
Regarding Specification: SAML Metadata Extension for Query Requesters

Document identifier: sstc-saml-metadata-ext-query-cd-01

Errata:

[line 66] The sentence "In schema listings, this is the default namespace and no prefix is shown" contradicts the sentence on line 80.  Perhaps the former should be deleted.

[line 116, 138, 160] s/See for/See the SAML V1.x metadata profile [SAML1xMeta] for/

[line 242] s/SAML metadata extension schema/SAML Metadata Extension Schema for Query Requester/

[lines 243--244] s^http://www.oasis-open.org/committees/security/^http://www.oasis-open.org/committees/download.php/18062/sstc-saml-metadata-ext-query.xsd^

[lines 247] s^http://www.oasis-open.org/committees/security/^http://www.oasis-open.org/committees/download.php/18048/sstc-saml1x-metadata.xsd^

[lines 256--257] s^http://www.oasis-open.org/committees/download.php/11903/saml-2.0-os-xsd.zip^http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd^

Comments:

[line 10] I was an employee at NCSA at the time this document was written, so this line should read:
Tom Scavo (tscavo@ncsa.uiuc.edu), NCSA

[line 66] Suggested modifications to the table between lines 65--66:
s/assertion namespace [SAML2Core]/assertion namespace defined in the SAML V2.0 core specification [SAML2Core]/
s/metadata namespace [SAML2Core]/metadata namespace defined in the SAML V2.0 metadata specification [SAML2Meta]/
s/metadata query extension namespace,/metadata query extension namespace/

[line 155] Because of the contradiction on lines 66 and 80, the namespace associated with the ActionNamespace element is not immediately evident to the reader.  Upon further and careful reading, this becomes clear, but wouldn't it be better to prefix the element name with the "query:" prefix and be explicit about it?

[lines 204--218] The two RequestedAttribute elements in this example denote the same attribute and attribute value (using alternate notation that is irrelevant to this profile).  I suggest rewriting the elements as follows:

<md:RequestedAttribute
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9">
  FriendlyName="eduPersonScopedAffiliation">
</md:RequestedAttribute>
<md:RequestedAttribute
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
  Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
  FriendlyName="eduPersonEntitlement">
  <saml:AttributeValue xsi:type="xsd:anyURI">
    https://gs.org/gridshib/entitlements/123456789
  </saml:AttributeValue>
</md:RequestedAttribute>

[line 242] The referenced schema document does not explicitly list an author, so the author listed in the References is apparently in error.  Do the schema author(s) mirror the profile author(s) in this case? (N.B. I was the original author of the schema document in question, per Scott's suggestion.)

[line 255] Again, the referenced schema document does not explicitly list an author, so the author listed in the References seems to be in error.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]