[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: <NameID> element usage in the SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems
Sending on behalf of Mike Merrill
(currently a TC observer): ----------------------------------------------- When the “SAML V2.0 Attribute Sharing Profile for
X.509 Authentication-Based Systems” document moved from draft 10
(sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11
(sstc-saml2-profiles-x509-draft-11), the document was renamed and drastically
reorganized. If I recall correctly, some committee members took exception
to the extensive rewrite of the profile between drafts 10 and 11, which led to
the withdrawal of the new draft. Since then, no new draft of the profile
has been submitted. The problem is that at least one usage issue was (I believe)
correctly resolved in draft 11 but is now lost due to the withdrawal of that
draft. Section 3.2.1 of draft 10 (“<AttributeQuery>
Usage”) outlines rules that an <AttributeQuery> element MUST
conform to. The third rule listed says: “The <NameID> element
SHOULD have a NameQualifier attribute whose value is the Issuer DN from the
principal’s X.509 certificate. The format of this DN SHOULD also
comply with [RFC2253].” As I recall, there was some discussion on the mailing list
about whether or not this conflicted with the guidance given in section 2.2.2
of the “Assertions and Protocols for the OASIS Security Assertion Markup
Language (SAML) V2.0” document (saml-core-2.0-os) which states that: “The NameQualifier and
SPNameQualifier attributes SHOULD be omitted unless the element or format
explicitly defines their use and semantics.” The X.509 Subject Name format applicable here and defined in
section 8.3.3 of the previously mentioned document does not explicitly define
the use of the NameQualifier or SPNameQualifier attributes. The mailing
list came to the conclusion that the “<AttributeQuery> Usage”
section in draft 10 should be revised to indicate that the <NameID>
element should not specify a NameQualifier. The recommendation was followed in section 2.3.1
(“<saml:NameID> Usage”) of draft 11, where the third rule
says:
“As specified in [SAMLCore], the NameQualifier attribute of the
<saml:NameID> element SHOULD be omitted.” So, as an implementer of the profile defined in these
documents, I’ve been wondering if a new draft has been planned that will
correct this issue (and any others that I may not be aware of) that had already
been corrected in the withdrawn draft 11. Does anybody have any insight
into this? Thank you in advance. Mike Merrill Principal Software Engineer (781) 515-7094 RSA, The Security Division of EMC |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]