OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: clarification needed on use of data: URI in MDUI metadata?

In [SAML-Metadata-UI-V1.0], section 2.1.5, line 138, we find:

> The <mdui:Logo> element specifies the external *location* of a localized logo fit for display to users.

My emphasis on *location*: to me, this implies a URL and not just any URI.  Additionally, there's a later statement about "logos SHOULD […] use HTTPS URLs" on line 149 pointing in the same direction, but that's non-normative anyway.

This seems to be somewhat at odds with the statement on line 72 that Logo is:

> A localized logo image for the entity operating in the containing role.

Note that this is saying that the value *is* an image, not that it is the *location of* an image.

So we have two statements about what Logo values are supposed to be, one of which I might characterise as "pass by reference" and the other "pass by value".

In practice:

* many users of the specification use https:// URLs (pass by reference)

* some users of the specification use data: URIs (pass by value)

It seems likely to me that the intention was that both forms should be permitted, and that the "SHOULD use HTTPS URLs" remark applies only in the "pass by reference" case.

As the two parts of the specification appear to be in conflict, I think it's worth clarifying the intent in some way.

If we do think that "data:" is an intended possibility, it is also probably worth highlighting that case as something that consumers of this metadata might need to handle.

	-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]