security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Comments regarding x509 authn based attribute profile (draft 5)
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: 'Randall Rick' <randall_rick@bah.com>
- Date: Tue, 10 May 2005 12:12:14 -0400
Title: Message
Rick, more comments on the May 2 draft.
1. (general comment - many
places). In terms of references, such as [SAMLCore], I would suggest using the
same font as the other SAML docs. There are times when these are bolded and
sometime not. The Saml 2.0 docs do not bold these
references.
2. (several places) Update the
font for the x509 subject name urn identifier.
3. (line 83) s/the SubjectDN in
the principal's/the principal's/ I.e., the decision may be based on
the full info cert not necessarily just the subject dn.
4. (lines 109-110 and 150-152).
The text is incorrect here. Basically, we want to use metadata and
metadata-ext. I would change the text to:
"The service provider and
identity provider MAY use metadata to identify which service provider and
identity provider, respectively, to use to process requests. If metadata is
used in this manner, the metadata MUST cocnform to [SAMLMeta-Ext] and
[SAMLMeta], respectively."
You will need to add a
reference to [SAMLMeta] in section 5.
5. (line 114) This should say
"<AttributeQuery> Usage" basically matching line 159 (to be
consistent)
6. (line 121) s/in SAMLCore]/in
[SAMLCore]/
7. (line
122) This should say "<Response> Usage" basically matching line 192 (to be
consistent)
8. (line 128) delete this line.
9. (line 137) delete this
line.
10. (line 153) delete this line.
11. (line 157) s/All
requests/responses MUST/All requests MUST/
12. (line 169) s/Subject
DN/name identifier/
13. (line 171-172) s/Subject
DN/name identifier/
14. (line 176) s/Subject
DN/name identifier/
15. (line 189)
s/[SAMLCore]and/[SAMLCore] and/
16. (line 190) s/All requests/responses MUST/All responses
MUST/
17. (line 200)
s/.././
18. (lines 214 - 219)
Change the lines to:
"The identity provider MAY use
the symmetric key used for encrypting the principal's name identifier provided
in the requesting <AttributeQuery>. If the identity provider reuses
the requesting key for encrypting the assertion carrying the attributes and
place the resulting ciphertext in the <xenc:EncryptedData>
element. The <EncryptedAssertion> element MUST NOT contain an
<xenc:EncryptedKey> element. Because the service provider included the
symmetric key in the <AttributeQuery>, it is implied that since the
identity provider did not include an <xenc:EncxryptedKey> element in
the <EncryptedAssertion> element, the symmetric key in the
<AttributeQuery> is being used; as opposed to a symmetric key thath may
have been established previously out of band.
Alternatively, the identity
provider MAY generate a new symmetric key for encrypting the assertion
carrying the attributes and place the resulting ciphertext in the
<xenc:EncryptedData> element. The new symmetric key used to encrypt the
assertion MUST be encrypted with the service provider's public key and the
resulting ciphertrext placed in the <xenc:EncryptedKey> element.
If the requesting
<AttributeQuery> does not contain a symmetric key, i.e., it is using the
one that was established previously out of band, the identity provider MAY use
that symmetric key as well. In this case the response MUST NOT
include an <xenc:EncryptedKey> element in the
<EncryptedAssertion> element.
A [FIPS 140-2] validated
encryption algorithm SHALL be used for the encxryption
operation."
Also change line 171:
s/previously established/previously out of
band established/
Also change line 172: s/reuses
a/uses this/
Also add to line 178: "A new
symmetric key does in any way change a previously out of band established
symmetric key."
19. (line 230-231) Remove
carriage return between these lines to stay consistent with other
paragraphs.
20. (line 232) delete this
line.
21. (Chapter 5, References) Change format to uses that of Saml 2.0 docs -- seems to be
using a couple of different ones right now.
22. (Chapter 5, References) The Saml 2.0 docs are dated March 2005 I believe vs.
January 2005.
23.
(Chapter 5, References) Add SAMLMeta.
24. (line 248)
SAMLBind does not contain a url reference, author,
etc...
25. (line
275) delete this line.
26. (line
305) delete this line.
27. (line 318) Update date to
2005. This is required in the footer as well.
Tom.
Thomas Wisniewski
Software Architect
Phone: (201)
891-0524
Cell: (201) 248-3668
EntrustÒ
Securing Digital Identities
& Information
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]