Comments regarding x509 authn based attribute profile (draft 5)

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: Message

Rick, more comments on the May 2 draft.

1. (general comment - many places). In terms of references, such as [SAMLCore], I would suggest using the same font as the other SAML docs. There are times when these are bolded and sometime not. The Saml 2.0 docs do not bold these references.

 

2. (several places) Update the font for the x509 subject name urn identifier.

 

3. (line 83) s/the SubjectDN in the principal's/the principal's/  I.e., the decision may be based on the full info cert not necessarily just the subject dn.

 

4. (lines 109-110 and 150-152). The text is incorrect here. Basically,  we want to use metadata and metadata-ext.  I would change the text to:

"The service provider and identity provider MAY use metadata to identify which service provider and identity provider, respectively, to use to process requests. If metadata is used in this manner, the metadata MUST cocnform to [SAMLMeta-Ext] and [SAMLMeta], respectively."

You will need to add a reference to [SAMLMeta] in section 5.

 

5. (line 114) This should say "<AttributeQuery> Usage" basically matching line 159 (to be consistent)

 

6. (line 121) s/in SAMLCore]/in [SAMLCore]/

 

7. (line 122) This should say "<Response> Usage" basically matching line 192 (to be consistent)

 

8. (line 128) delete this line.

 

9. (line 137) delete this line.

 

10. (line 153) delete this line.

 

11. (line 157) s/All requests/responses MUST/All requests MUST/

 

12. (line 169) s/Subject DN/name identifier/

 

13. (line 171-172) s/Subject DN/name identifier/

 

14. (line 176) s/Subject DN/name identifier/

 

15. (line 189) s/[SAMLCore]and/[SAMLCore] and/

 

16. (line 190) s/All requests/responses MUST/All responses MUST/

 

17. (line 200) s/.././

 

18. (lines 214 - 219)  Change the lines to:

 

"The identity provider MAY use the symmetric key used for encrypting the principal's name identifier provided in the requesting <AttributeQuery>.  If the identity provider reuses the requesting key for encrypting the assertion carrying the attributes and place the resulting ciphertext in the <xenc:EncryptedData> element. The <EncryptedAssertion> element MUST NOT contain an <xenc:EncryptedKey> element. Because the service provider included the symmetric key in the <AttributeQuery>, it is implied that since the identity provider did not include an <xenc:EncxryptedKey> element in the <EncryptedAssertion> element, the symmetric key in the <AttributeQuery> is being used; as opposed to a symmetric key thath may have been established previously out of band.

 

Alternatively, the identity provider MAY generate a new symmetric key for encrypting the assertion carrying the attributes and place the resulting ciphertext in the <xenc:EncryptedData> element. The new symmetric key used to encrypt the assertion MUST be encrypted with the service provider's public key and the resulting ciphertrext placed in the <xenc:EncryptedKey> element.

 

If the requesting <AttributeQuery> does not contain a symmetric key, i.e., it is using the one that was established previously out of band, the identity provider MAY use that symmetric key as well. In this case the response MUST NOT include an  <xenc:EncryptedKey> element in the <EncryptedAssertion> element.

 

A [FIPS 140-2] validated encryption algorithm SHALL be used for the encxryption operation."

 

Also change line 171: s/previously established/previously out of band established/

Also change line 172: s/reuses a/uses this/

Also add to line 178: "A new symmetric key does in any way change a previously out of band established symmetric key."

 

 

19. (line 230-231) Remove carriage return between these lines to stay consistent with other paragraphs.

 

20. (line 232) delete this line.

 

21. (Chapter 5, References) Change format to uses that of Saml 2.0 docs -- seems to be using a couple of different ones right now.

 

22. (Chapter 5, References) The Saml 2.0 docs are dated March 2005 I believe vs. January 2005.

 

23. (Chapter 5, References) Add SAMLMeta.

 

24. (line 248) SAMLBind does not contain a url reference, author, etc...

 

25. (line 275) delete this line.

26. (line 305) delete this line.

 

27. (line 318) Update date to 2005. This is required in the footer as well.

 

Tom.

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
 
EntrustÒ
Securing Digital Identities
& Information