OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] URGENT: normative refs (was Re:[security-services] FW: status of ITU submission)


Guidance from the focus group call today...  I will send final lists to
Karl this afternoon.  Please note that I did a bit of reconsidering on a 
couple of items; yell if it's a problem.

	Eve

Eve L. Maler wrote:
> 1) The Conformance Program Specification is the entry point
>    for the entire SAML specification suite as far as normatively
>    referencing other parts of the suite is concerned, so that
>    references from other specifications to SAML can merely
>    point to SAMLConform in order to pick up the entire suite.
> 
> 2) Intra-suite references that appear in each spec should be
>    categorized as normative, except that references to
>    Security and Privacy Considerations should be non-normative).

This is fine.

> Assertions and Protocol:
> 
> Normative:
> Excl-C14n (line 1583; has a SHOULD)
> RFC2119 (normative for language interpretation)
> RFC2396 (lines 219, 841, 867, 1148; normative for correct
> interpretation of RECOMMENDED instruction on URIs)
> SAML-XSD (line 173, 190, 203)
> SAMLP-XSD (lines 174, 190, 206)
> SAMLBind (lines 172, 293, 669; 933, 1074, 1848)
> SAMLConform (line 294)
> SAMLGloss (line 265)
> Schema1 (lines 177, 198, 1789; need it to interpret schemas)
> UNICODE-C (line 251; comparison method is a MUST)
> XML (lines 217, 240, 257, 258)
> XMLSig (lines 674, 1561, 1598, 1605, 1996; note not all refs
>   normative)
> XMLSig-XSD (lines 197, 210; imported into SAML schemas)
> 
> Non-normative:
> Needham78 (line 1857; not required for conformance)
> PGP (line 1877; not required for conformance)
> PKIX (line 1872; not required for conformance)
> RFC 1510 (line 1857; not required for conformance)
> RFC 2246 (line 1868; not required for conformance)
> RFC 2253 (line 1968; not required for conformance)
> RFC 2630 (never referenced! oops)
> RFC 2822 (line 1959; not required for conformance)
> RFC 2945 (line 1861; not required for conformance)
> RFC 3075 (line 1891; not required for conformance)
> SAMLCore1.0 (line 1606; historical reference)
> SAMLSecure (line 295)
> SPKI (line 882; not required for conformance)
> X.500 (line 1872; not required for conformance)
> XKMS (line 1887; not required for conformance)
> 
> Unclear:
> Schema2 (lines 215, 222, 507; already ref'd by Schema1)

Non-normative.

> W3C-CHAR (line 248; doc ref'd is not finished yet; ck status)
> W3C-CharMod (line 253; ck status of doc)

Doublecheck their status at W3C.  Even if still working drafts there,
make these references normative and let the chips fall where they may
(knowing that W3C is really good about making URIs persist).

[I went and looked again at how our references are worded; I think these 
will be fine as non-normative references, after all.]

> Bindings and Profiles:
> 
> Normative:
> HTML401 (lines 708, 767; needed for browser/POST)
> RFC1945 (lines 454, 492; profiles depend on this or HTTP 1.1)
> RFC2045 (lines 572, 723; base64 needed for browser/artifact)
> RFC2119 (line 139; normative for language interpretation)
> RFC2246 (line 879; Section 3.1.3.2 says mandatory to implement)
> RFC2616 (lines 435, 453, 492; profiles depend on this or
>   HTTP 1.0; note not all refs normative)
> RFC2617 (line 288; Section 3.1.3.2 says mandatory to implement)
> SAMLCore (lines, 115, 146, 147, 320, 730, 770, 842)
> SAMLGloss (line 135)
> SOAP1.1 (line 151, 200, 234, 240, 243, 273, 308; required
>   for SOAP over HTTP binding)
> SSL3 (line 879; Section 3.1.3.2 says mandatory to implement)
> 
> Non-normative:
> AES (line 884; AES cipher suite not required)
> Anders (line 744; just a note about JavaScript)
> CoreAssnEx (line 569; in a non-normative note)
> Liberty (line 376; just an example of a profile defined outside)
> MSURL (line 913; ref'd in non-normative Section 8)
> Rescorla-Sec (lines 598, 795; security considerations)
> RFC1750 (line 595; just provides advice and definitions)
> SAMLSec (line 302)
> SAMLReqs (line 366; informational/historical)
> SAMLWeb (line 185; non-normative registry of others' profiles)
> SESSION (line 386; just an example)
> ShibMarlena (lines 570, 598, 795; non-normative security
>   considerations)
> WEBSSO (line 385; just an example)
> WSS-SAML (line 374; just an example, now obsolete)
> 
> Unclear:
> RFC1738 (line 448; borrows just its terminology, but URLs
>   are required for these profiles)

Non-normative.

> RFC2279 (line 904; needed for alternative artifact format)

Non-normative; not required for conformance.

> XMLSig (lines 149, 863; required for holder of key?)

Normative; required for holder of key.

> Conformance Program Specification:
> 
> Normative:
> SAMLAssertion (line 134)
> SAMLBind (line 133 and throughout Section 4)
> SAMLCore (line 129 and throughout Section 4)
> SAMLGloss (line 132)
> SAMLProtocol (line 135)
> 
> Non-normative:
> RFC2119 (line 113)
> SAMLSec (line 130)
> NIST/ITL (line 255; discussion point)
> WSS-SAML (line 159; informational)
> 
> Unclear:
> (none)

All the rest was fine.

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]