RE: [saml-dev] ACTION-ITEM: Addition of ID attributes to SAML 1.0 elements in SAML 1.1

["Jahan Moreh" <jmoreh@sigaba.com>]

Prateek -

Given that the two communicating parties can determine which version of SAML each is using  then the proposed change is very acceptable. After all, what is the purpose of the Major/Minor numbers? Also, I argue that SAML is still "young" enough that we can introduce these kinds of changes without worrying too much about forward compatibility. Lastly, based on a very informal statistics (i.e., my own experience) not too many people actually turn on schema validation.

 

Thanks,

Jahan

----------------
Jahan Moreh
Chief Security Architect
310.286.3070

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Monday, March 31, 2003 8:27 AM
To: saml-dev@lists.oasis-open.org; 'security-services@lists.oasis-open.org'
Subject: [saml-dev] ACTION-ITEM: Addition of ID attributes to SAML 1.0 elements in SAML 1.1

We are considering an update to the SAML schema to include an

ID attribute in SAML 1.1.  I am sending this message to alert you to this possibility and to solicit your reactions.

 

Question: What is the impact of this change on existing SAML 1.0 implementations?

 

Answer: Loss of "forward-compatibility" in that a SAML 1.0 processor (server) cannot validate a SAML 1.1 document even if the SAML 1.1 document utilizes elements found only in SAML 1.0. Why? Because in SAML 1.1 elements drawn from SAML 1.0 may now carry an ID attribute and a validating parser will find this unacceptable.

 

So the real question is whether implementors are relying upon forward compatibility. And indeed, whether it is a real problem as opposed to a theoretical possibility.

Keep in mind that version numbers etc. will be appropriately updated so that the SAML 1.0 processor can always determine that it has been handed a SAML 1.1 document.

 

 

----------------------

Prateek Mishra

Netegrity

 

p: 781-530-6564

c: 781-308-5198