OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] FW: <NameID> element usage in the SAMLV2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems


Rob, Tom:

I currently have an open AI (shamefully late) to produce a new draft of the original document structure, which will be named sstc-saml-x509-authn-attrib-profile-draft-11.

In this new draft, I will include the various consensus decisions that the TC came to in debating the substantive differences introduced between cd-01 and draft-10. The below-mentioned NameQualifier issue is one of these.

I believe that your implementation effort will be best served if you work from cd-01, which left the usage of NameQualifier under the control of SAMLCore.

Best,
Ari Kermaier


> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Monday, December 18, 2006 5:16 PM
> To: Philpott, Robert
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] FW: <NameID> element usage 
> in the SAML
> V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems
> 
> 
> The history and statement of the problem below is 100% correct.  FWIW,
> this issue has been resolved in the SAML V2.0 Deployment Profiles for
> X.509 Subjects (sstc-saml2-profiles-deploy-x509-draft-01), the
> document that grew out of draft 11
> (sstc-saml2-profiles-x509-draft-11).  The former represents a
> completely new document stream, however, so I'm not sure it is
> relevant.  I mention it here for completeness.
> 
> Tom Scavo
> NCSA/University of Illinois
> 
> On 12/13/06, Philpott, Robert <rphilpott@rsasecurity.com> wrote:
> >
> > Sending on behalf of Mike Merrill (currently a TC observer):
> >
> > -----------------------------------------------
> >
> > When the "SAML V2.0 Attribute Sharing Profile for X.509 
> Authentication-Based
> > Systems" document moved from draft 10
> > (sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11
> > (sstc-saml2-profiles-x509-draft-11), the document was
> > renamed and drastically reorganized.  If I recall 
> correctly, some committee
> > members took exception to the extensive rewrite of the 
> profile between
> > drafts 10 and 11, which led to the withdrawal of the new 
> draft.  Since then,
> > no new draft of the profile has been submitted.
> >
> >
> >
> > The problem is that at least one usage issue was (I 
> believe) correctly
> > resolved in draft 11 but is now lost due to the withdrawal 
> of that draft.
> >
> >
> >
> > Section 3.2.1 of draft 10 ("<AttributeQuery> Usage") 
> outlines rules that an
> > <AttributeQuery> element MUST conform to.  The third rule 
> listed says:
> >
> >
> >
> > "The <NameID> element SHOULD have a NameQualifier attribute 
> whose value is
> > the Issuer DN from the principal's X.509 certificate.  The 
> format of this DN
> > SHOULD also comply with [RFC2253]."
> >
> >
> >
> > As I recall, there was some discussion on the mailing list 
> about whether or
> > not this conflicted with the guidance given in section 2.2.2 of the
> > "Assertions and Protocols for the OASIS Security Assertion 
> Markup Language
> > (SAML) V2.0" document (saml-core-2.0-os) which states that:
> >
> >
> >
> > "The NameQualifier and SPNameQualifier attributes SHOULD be 
> omitted unless
> > the element or format explicitly defines their use and semantics."
> >
> >
> >
> > The X.509 Subject Name format applicable here and defined 
> in section 8.3.3
> > of the previously mentioned document does not explicitly 
> define the use of
> > the NameQualifier or SPNameQualifier attributes.  The 
> mailing list came to
> > the conclusion that the "<AttributeQuery> Usage" section in 
> draft 10 should
> > be revised to indicate that the <NameID> element should not 
> specify a
> > NameQualifier.
> >
> >
> >
> > The recommendation was followed in section 2.3.1 
> ("<saml:NameID> Usage") of
> > draft 11, where the third rule says:
> >
> >
> >
> >             "As specified in [SAMLCore], the NameQualifier 
> attribute of the
> > <saml:NameID> element SHOULD be omitted."
> >
> >
> >
> > So, as an implementer of the profile defined in these 
> documents, I've been
> > wondering if a new draft has been planned that will correct 
> this issue (and
> > any others that I may not be aware of) that had already 
> been corrected in
> > the withdrawn draft 11.  Does anybody have any insight into this?
> >
> >
> >
> > Thank you in advance.
> >
> >
> >
> > Mike Merrill
> >
> > Principal Software Engineer
> >
> > (781) 515-7094
> >
> > mmerrill@rsasecurity.com
> >
> >
> >
> > RSA, The Security Division of EMC
> >
> >
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]