[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] ISSUE: Fragment identifiers for URI references onthe Format attribute
The following is a relatively minor set of potential issues on SAML 1.0
Committee Spec-01. Note that we're going to need a process for
collecting issues going forward, or at least we need to continue our
existing process...
* * *
In cs-sstc-core-01, lines 599-615 contain the only use of fragment
identifiers in the whole spec anymore: they describe the values for the
Format attribute, such as #emailAddress, on <NameIdentifier> . I'm
wondering why we didn't make these whole URNs, as we ultimately did for
everything else. Also, here we refer a bit obliquely to base URIs:
"assuming a base URI of the SAML assertion namespace name" (lines 600-601).
I have the following concerns:
- Did we mean that it should be possible to set an explicit base URI
somewhere and then in the Format attribute use only the fragment ID? If
so, were we assuming that the base URI would be set using the XML Base
spec? If we were relying on XML Base, we would have to make explicit
reference to it in the text; you don't get XML Base free by using XML (yet).
- Alternatively, did we mean that SAML has its own application-specific
semantics about the base URI? This may be perfectly acceptable
("application-dependent semantics" as defined in RFC 2396); I just think
our text isn't quite clear enough in this case.
- The semantics for base URIs are really tricky; I'm not an expert, but
I'm concerned we may be breaking the semantics for "empty" URIs (such as
the empty URI string a Format attribute value of "#emailAddress") if we
do assume that the base URI is set elsewhere and can be implicit on the
Format attribute.
The good news, if there are issues here, is that the workaround is to
always supply the whole URN+fragID. (What is current practice by
implementors?)
Assuming that my fears about "empty" URIs are unfounded (I will check
with a base-URI expert of my acquaintance), an easy fix/enhancement in
the direction of application-specific base URIs would be to clarify the
"assuming a base URI of the SAML assertion namespace name" wording.
This is perhaps a minor enough clarification that there may be a way to
do it for the OASIS Standard level, if we get that far...
If we want to allow the use of XML Base (that is, the xml:base
attribute), the change would be quite a bit more invasive. We'd want to
explicitly allow for the attribute in our schemas, and make normative
reference to the XML Base spec from our core spec. I wouldn't want to
go here for a while.
Eve
--
Eve Maler +1 781 442 3190
Sun Microsystems cell +1 781 883 5917
XML Web Services / Industry Initiatives eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC