RE: [security-services] proposed new text for X.500/LDAP attribute profile

["Philpott, Robert" <rphilpott@rsasecurity.com>]

Hi Bob - Enjoy the vacation.

> 
> 8.2.2 SAML Attribute Naming
> 
> The NameFormat XML attribute in <AttributeDesignator> and <Attribute>
> elements MUST be urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
> 
> To construct attribute names, the URN oid namespace described in
[RFC3061]

[RSP] Should we put a MUST right here?

> is used. In this approach the Name XML attribute is based on the
OBJECT
> IDENTIFIER assigned to the X.500/LDAP attribute type.
> 


> 8.2.3 Profile-Specific XML Attributes
> 
> An XML attribute is defined for the  <Attribute> element:
> 
> 	Encoding [Optional]
> 
> This value of this XML attribute specifies the encoding used for the
SAML

[RSP] s/This/The

> attribute value.  Only one value of this attribute is defined at this
> time: LDAP.  This specifies the use of the LDAP-specific encoding for
this
> X.500 attribute value, as described in section 8.2.5.

[RSP] The encoding is really UTF-8, not "LDAP".  Perhaps we should
create SAML identifiers such as
"urn:oasis:names:tc:SAML:2.0:attr-encoding:LDAP-UTF8" to indicate it is
UTF-8 as used in LDAP directories. 

> 
> 8.2.4 <AttributeDesignator> Comparison
> 
> Two <AttributeDesignator> elements are equal if and only if their Name
XML
> attribute values are equal in the sense of [RFC3061]. The FriendlyName
> attribute plays no role in the comparison.

[RSP] It may be obvious, but the NameFormat values must also match,
right? 
 
> 
> 8.2.5 SAML Attribute Values
> 
> X.500 attribute definitions for use in native X.500 directories
specify
> the syntax of the attribute using ASN.1 [X.680].  For transfer via the
> LDAP protocol, attribute definitions may additionally include an
> LDAP-specific encoding, commonly of Unicode characters in UTF-8 form.
> This encoding is identified by an LDAP-specific syntax.  This SAML
> attribute profile only specifies the form of SAML attribute values for
> those attributes for which an LDAP-specific syntax is provided.
Future
> extensions to this profile may define attribute value formats for
other
> X.500-defined attributes.
> 
> For the following LDAP-specific syntaxes:

[RSP] Suggest rephrasing so that the long list doesn't sit in the middle
of the sentence.
 
> 
> the value of an X.500 attribute of this syntax is encoded as simply
the
> UTF-8 string itself, as the content of the <AttributeValue> element,
with
> no additional whitespace. In such cases, the xsi:type XML attribute
MUST
> be set to xsd:string.  The Encoding XML attribute is provided, with a
> value of "LDAP".

[RSP] s/attribute is provided/attribute MUST be specified/

> 
> For all other LDAP syntaxes, the attribute value is encoded, as the
> content of the <AttributeValue> element, by base64-encoding [RFC2045]
the
> encompassing ASN.1 OCTET STRING-encoded LDAP attribute value. The
xsi:type
> XML attribute MUST be set to xsd:base64Binary.  The Encoding XML
attribute
> is provided, with a value of "LDAP".
[RSP] Hmmm... I think, again, I'd prefer a different value for the
Encoding attribute that identifies the encoding as base64Binary in this
case, not "LDAP".