Re: [security-services] LDAP Attribute Profile (saml-profiles-saml2.0)

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

On Mon, 16 Jan 2006, Greg Whitehead wrote:

> 2) The ONLY clue we have that the AttributeValue is encoded using the 
> X500/LDAP profile is an attribute in the profile namespace 
> (x500:Encoding). Unless we know to look for that attribute, or we search 
> for all attributes that we don't understand and throw up our hands if 
> any are found, there is NO way to know what crazy encoding rules have 
> been applied to the AttributeValue (such as ASN.1 octet string 
> wrappers).

Hmm, the point of the ldapprof:Encoding="LDAP" XML attribute isn't to call 
out the use of the X.500/LDAP profile as a whole, it's to indicate that, 
in that profile, the LDAP-specific encoding is being used, rather than any 
other possible encodings, none of which have been defined yet (but 
possibilities might include X.500 and RXER some day).  If we had decided 
not to leave the door open for those other encodings, but said this 
profile is only LDAP forever, there would have been no Encoding XML 
attribute at all.

So I think the point is that by using as a SAML attribute Name an OID that 
is defined as an X.500/LDAP attribute type, you're using the X.500/LDAP 
profile, like it or not.  So it's like Scott said about LDAP:  the format 
is determined by the attribute name, which should be clear, no?

I suppose someone could come along and add a myFormat="Klingon" XML 
attribute to the AttributeValue element of any SAML Attribute in hopes it 
would affect the processing.  Should SAML attribute profiles have language 
specifically precluding this?  Seems like trying to specify common sense.

  - RL "Bob"