[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] FW: <NameID> element usage in the SAMLV2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems
Rob, Tom: I currently have an open AI (shamefully late) to produce a new draft of the original document structure, which will be named sstc-saml-x509-authn-attrib-profile-draft-11. In this new draft, I will include the various consensus decisions that the TC came to in debating the substantive differences introduced between cd-01 and draft-10. The below-mentioned NameQualifier issue is one of these. I believe that your implementation effort will be best served if you work from cd-01, which left the usage of NameQualifier under the control of SAMLCore. Best, Ari Kermaier > -----Original Message----- > From: Tom Scavo [mailto:trscavo@gmail.com] > Sent: Monday, December 18, 2006 5:16 PM > To: Philpott, Robert > Cc: security-services@lists.oasis-open.org > Subject: Re: [security-services] FW: <NameID> element usage > in the SAML > V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems > > > The history and statement of the problem below is 100% correct. FWIW, > this issue has been resolved in the SAML V2.0 Deployment Profiles for > X.509 Subjects (sstc-saml2-profiles-deploy-x509-draft-01), the > document that grew out of draft 11 > (sstc-saml2-profiles-x509-draft-11). The former represents a > completely new document stream, however, so I'm not sure it is > relevant. I mention it here for completeness. > > Tom Scavo > NCSA/University of Illinois > > On 12/13/06, Philpott, Robert <rphilpott@rsasecurity.com> wrote: > > > > Sending on behalf of Mike Merrill (currently a TC observer): > > > > ----------------------------------------------- > > > > When the "SAML V2.0 Attribute Sharing Profile for X.509 > Authentication-Based > > Systems" document moved from draft 10 > > (sstc-saml-x509-authn-attrib-profile-draft-10) to draft 11 > > (sstc-saml2-profiles-x509-draft-11), the document was > > renamed and drastically reorganized. If I recall > correctly, some committee > > members took exception to the extensive rewrite of the > profile between > > drafts 10 and 11, which led to the withdrawal of the new > draft. Since then, > > no new draft of the profile has been submitted. > > > > > > > > The problem is that at least one usage issue was (I > believe) correctly > > resolved in draft 11 but is now lost due to the withdrawal > of that draft. > > > > > > > > Section 3.2.1 of draft 10 ("<AttributeQuery> Usage") > outlines rules that an > > <AttributeQuery> element MUST conform to. The third rule > listed says: > > > > > > > > "The <NameID> element SHOULD have a NameQualifier attribute > whose value is > > the Issuer DN from the principal's X.509 certificate. The > format of this DN > > SHOULD also comply with [RFC2253]." > > > > > > > > As I recall, there was some discussion on the mailing list > about whether or > > not this conflicted with the guidance given in section 2.2.2 of the > > "Assertions and Protocols for the OASIS Security Assertion > Markup Language > > (SAML) V2.0" document (saml-core-2.0-os) which states that: > > > > > > > > "The NameQualifier and SPNameQualifier attributes SHOULD be > omitted unless > > the element or format explicitly defines their use and semantics." > > > > > > > > The X.509 Subject Name format applicable here and defined > in section 8.3.3 > > of the previously mentioned document does not explicitly > define the use of > > the NameQualifier or SPNameQualifier attributes. The > mailing list came to > > the conclusion that the "<AttributeQuery> Usage" section in > draft 10 should > > be revised to indicate that the <NameID> element should not > specify a > > NameQualifier. > > > > > > > > The recommendation was followed in section 2.3.1 > ("<saml:NameID> Usage") of > > draft 11, where the third rule says: > > > > > > > > "As specified in [SAMLCore], the NameQualifier > attribute of the > > <saml:NameID> element SHOULD be omitted." > > > > > > > > So, as an implementer of the profile defined in these > documents, I've been > > wondering if a new draft has been planned that will correct > this issue (and > > any others that I may not be aware of) that had already > been corrected in > > the withdrawn draft 11. Does anybody have any insight into this? > > > > > > > > Thank you in advance. > > > > > > > > Mike Merrill > > > > Principal Software Engineer > > > > (781) 515-7094 > > > > mmerrill@rsasecurity.com > > > > > > > > RSA, The Security Division of EMC > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]