[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] proposed new text for X.500/LDAP attribute profile
Hi Bob - Enjoy the vacation. > > 8.2.2 SAML Attribute Naming > > The NameFormat XML attribute in <AttributeDesignator> and <Attribute> > elements MUST be urn:oasis:names:tc:SAML:2.0:attrname-format:uri. > > To construct attribute names, the URN oid namespace described in [RFC3061] [RSP] Should we put a MUST right here? > is used. In this approach the Name XML attribute is based on the OBJECT > IDENTIFIER assigned to the X.500/LDAP attribute type. > > 8.2.3 Profile-Specific XML Attributes > > An XML attribute is defined for the <Attribute> element: > > Encoding [Optional] > > This value of this XML attribute specifies the encoding used for the SAML [RSP] s/This/The > attribute value. Only one value of this attribute is defined at this > time: LDAP. This specifies the use of the LDAP-specific encoding for this > X.500 attribute value, as described in section 8.2.5. [RSP] The encoding is really UTF-8, not "LDAP". Perhaps we should create SAML identifiers such as "urn:oasis:names:tc:SAML:2.0:attr-encoding:LDAP-UTF8" to indicate it is UTF-8 as used in LDAP directories. > > 8.2.4 <AttributeDesignator> Comparison > > Two <AttributeDesignator> elements are equal if and only if their Name XML > attribute values are equal in the sense of [RFC3061]. The FriendlyName > attribute plays no role in the comparison. [RSP] It may be obvious, but the NameFormat values must also match, right? > > 8.2.5 SAML Attribute Values > > X.500 attribute definitions for use in native X.500 directories specify > the syntax of the attribute using ASN.1 [X.680]. For transfer via the > LDAP protocol, attribute definitions may additionally include an > LDAP-specific encoding, commonly of Unicode characters in UTF-8 form. > This encoding is identified by an LDAP-specific syntax. This SAML > attribute profile only specifies the form of SAML attribute values for > those attributes for which an LDAP-specific syntax is provided. Future > extensions to this profile may define attribute value formats for other > X.500-defined attributes. > > For the following LDAP-specific syntaxes: [RSP] Suggest rephrasing so that the long list doesn't sit in the middle of the sentence. > > the value of an X.500 attribute of this syntax is encoded as simply the > UTF-8 string itself, as the content of the <AttributeValue> element, with > no additional whitespace. In such cases, the xsi:type XML attribute MUST > be set to xsd:string. The Encoding XML attribute is provided, with a > value of "LDAP". [RSP] s/attribute is provided/attribute MUST be specified/ > > For all other LDAP syntaxes, the attribute value is encoded, as the > content of the <AttributeValue> element, by base64-encoding [RFC2045] the > encompassing ASN.1 OCTET STRING-encoded LDAP attribute value. The xsi:type > XML attribute MUST be set to xsd:base64Binary. The Encoding XML attribute > is provided, with a value of "LDAP". [RSP] Hmmm... I think, again, I'd prefer a different value for the Encoding attribute that identifies the encoding as base64Binary in this case, not "LDAP".