OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: <NameID> element usage in the SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems

Sending on behalf of Mike Merrill (currently a TC observer):



When the “SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems” document moved from draft 10 (sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11 (sstc-saml2-profiles-x509-draft-11), the document was renamed and drastically reorganized.  If I recall correctly, some committee members took exception to the extensive rewrite of the profile between drafts 10 and 11, which led to the withdrawal of the new draft.  Since then, no new draft of the profile has been submitted.


The problem is that at least one usage issue was (I believe) correctly resolved in draft 11 but is now lost due to the withdrawal of that draft.


Section 3.2.1 of draft 10 (“<AttributeQuery> Usage”) outlines rules that an <AttributeQuery> element MUST conform to.  The third rule listed says:


“The <NameID> element SHOULD have a NameQualifier attribute whose value is the Issuer DN from the principal’s X.509 certificate.  The format of this DN SHOULD also comply with [RFC2253].”


As I recall, there was some discussion on the mailing list about whether or not this conflicted with the guidance given in section 2.2.2 of the “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0” document (saml-core-2.0-os) which states that:


“The NameQualifier and SPNameQualifier attributes SHOULD be omitted unless the element or format explicitly defines their use and semantics.”


The X.509 Subject Name format applicable here and defined in section 8.3.3 of the previously mentioned document does not explicitly define the use of the NameQualifier or SPNameQualifier attributes.  The mailing list came to the conclusion that the “<AttributeQuery> Usage” section in draft 10 should be revised to indicate that the <NameID> element should not specify a NameQualifier.


The recommendation was followed in section 2.3.1 (“<saml:NameID> Usage”) of draft 11, where the third rule says:


            “As specified in [SAMLCore], the NameQualifier attribute of the <saml:NameID> element SHOULD be omitted.”


So, as an implementer of the profile defined in these documents, I’ve been wondering if a new draft has been planned that will correct this issue (and any others that I may not be aware of) that had already been corrected in the withdrawn draft 11.  Does anybody have any insight into this?


Thank you in advance.


Mike Merrill

Principal Software Engineer

(781) 515-7094



RSA, The Security Division of EMC 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]