OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] proposed new text for X.500/LDAP attribute profile

Hi Bob - Enjoy the vacation.

> 8.2.2 SAML Attribute Naming
> The NameFormat XML attribute in <AttributeDesignator> and <Attribute>
> elements MUST be urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
> To construct attribute names, the URN oid namespace described in

[RSP] Should we put a MUST right here?

> is used. In this approach the Name XML attribute is based on the
> IDENTIFIER assigned to the X.500/LDAP attribute type.

> 8.2.3 Profile-Specific XML Attributes
> An XML attribute is defined for the  <Attribute> element:
> 	Encoding [Optional]
> This value of this XML attribute specifies the encoding used for the

[RSP] s/This/The

> attribute value.  Only one value of this attribute is defined at this
> time: LDAP.  This specifies the use of the LDAP-specific encoding for
> X.500 attribute value, as described in section 8.2.5.

[RSP] The encoding is really UTF-8, not "LDAP".  Perhaps we should
create SAML identifiers such as
"urn:oasis:names:tc:SAML:2.0:attr-encoding:LDAP-UTF8" to indicate it is
UTF-8 as used in LDAP directories. 

> 8.2.4 <AttributeDesignator> Comparison
> Two <AttributeDesignator> elements are equal if and only if their Name
> attribute values are equal in the sense of [RFC3061]. The FriendlyName
> attribute plays no role in the comparison.

[RSP] It may be obvious, but the NameFormat values must also match,
> 8.2.5 SAML Attribute Values
> X.500 attribute definitions for use in native X.500 directories
> the syntax of the attribute using ASN.1 [X.680].  For transfer via the
> LDAP protocol, attribute definitions may additionally include an
> LDAP-specific encoding, commonly of Unicode characters in UTF-8 form.
> This encoding is identified by an LDAP-specific syntax.  This SAML
> attribute profile only specifies the form of SAML attribute values for
> those attributes for which an LDAP-specific syntax is provided.
> extensions to this profile may define attribute value formats for
> X.500-defined attributes.
> For the following LDAP-specific syntaxes:

[RSP] Suggest rephrasing so that the long list doesn't sit in the middle
of the sentence.
> the value of an X.500 attribute of this syntax is encoded as simply
> UTF-8 string itself, as the content of the <AttributeValue> element,
> no additional whitespace. In such cases, the xsi:type XML attribute
> be set to xsd:string.  The Encoding XML attribute is provided, with a
> value of "LDAP".

[RSP] s/attribute is provided/attribute MUST be specified/

> For all other LDAP syntaxes, the attribute value is encoded, as the
> content of the <AttributeValue> element, by base64-encoding [RFC2045]
> encompassing ASN.1 OCTET STRING-encoded LDAP attribute value. The
> XML attribute MUST be set to xsd:base64Binary.  The Encoding XML
> is provided, with a value of "LDAP".
[RSP] Hmmm... I think, again, I'd prefer a different value for the
Encoding attribute that identifies the encoding as base64Binary in this
case, not "LDAP".

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]