RE: [security-services] comments re draft-sstc-saml-attribute-ext-01

["Scott Cantor" <cantor.2@osu.edu>]

> - I suggest you rewrite the first paragraph in section 2.3 as follows:
> 
> "The OriginalIssuer XML attribute identifies the entity that
> originally issued the containing SAML attribute and its values."
> 
> The text in the document is inaccurate since such attributes are not
> confined to assertions (think: SAML 2.0 profile of XACML v2.0).

Yeah, you're right. Ironically I have another profile TBD that tags entities
in metadata with Attributes, for which OriginalIssuer is useful.

> - If the value of OriginalIssuer is an entity identifier, it must be
> no more than 1024 characters, right?  In that case, the schema
> fragment in section 2.3 should mirror entityIDType in [SAML2Meta].

I considered it, but I didn't want to import that schema for no other
reason, and moreover, I think that was a huge mistake inherited from Liberty
without any real discussion behind it, and was meaning to suggest that we
add a RECOMMENDATION to 8.3 of core that limits entity IDs to 256 (if even
that much).

> - What do you mean by "last modified" in section 2.4?  Is this an
> "issue instant" in disguise?

No, matter of fact I even considered proposing IssueInstant, but decided
that it didn't really seem like a simple concept. Last modified is easy to
understand, at least I thought. What's confusing about it? Doesn't every
LDAP directory track that? Most records in databases? It's a pretty standard
concept.

I actually don't have a specific use case for it, but I thought the document
would look better if I included at least 2 rather than just 1 extension.

> - Does the schema support multiple such XML attributes?

An anyAttribute wildcard is implicitly multiple, you can't limit it. Of
course, XML itself precludes the same attribute appearing twice. If an
attribute included a need to carry multiple values, using a list as the
value is the usual convention in XML.

-- Scott