OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded

> Since we specify the X509SubjectName format, I agree.  If we were to
> invent our own format, it would be an interesting question whether RFC
> 2253 should be SHOULD or MUST, and whether the poorly understood
> encoding rules of XMLSig are really necessary.

Maybe we can add it to the list of poorly understood XMLSig rules and get
rid of it altogether. ;-)

> We already have such an extension for standalone attribute requesters.

With respect to Ari's statement, if people are using metadata *at an IdP/AA*
in support of this profile, they're doing something undefined (as Tom says)
because there's no role defined that could be used apart from
SPSSODescriptor (and ignoring all the endpoint elements).

In fairness, I advocated a general SP/RP role and just including optional
web SSO bits, but that wasn't adopted, so...

The flipside is different. It's likely, and not really "wrong", to use
existing AA metadata.

> A general-purpose attribute responder can not legally use SAML V2.0
> metadata to advertise a location endpoint that supports this profile.

That's an interpretation that depends on the "compatibility" of the new
profile with the base profile. My interpretation is it's a restrictive
subset that consists of messages legal in the base profile and so it's legal
to just treat the rest as OOB information, as with all the hundred other
things not included in metadata.

OTOH, yeah, if the new profile is just not even legal SAML queries, uses
extensions, different messages, etc, that's another matter.

> An SP looking at this metadata can not tell if the endpoint location
> supports this profile.

Yep. So it's OOB.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]