Re: Attribute Sharing Profile for X.509 Authentication-Based Systems (Draft-12) - Tom Scavo - org.oasis-open.lists.security-services

12 messages in org.oasis-open.lists.security-servicesRe: Attribute Sharing Profile for X.5...

From	Sent On	Attachments
Tom Scavo	Mar 25, 2007 2:51 pm
Tom Scavo	Mar 27, 2007 9:58 am
Tom Scavo	Mar 27, 2007 10:16 am
Staggs, David (SAIC)	Mar 27, 2007 10:27 am	.doc
Anderson, Steve	Mar 28, 2007 8:02 am	.doc
Scott Cantor	Mar 28, 2007 9:14 am
Ari Kermaier	Mar 29, 2007 9:27 am
Tom Scavo	Mar 29, 2007 9:31 am
Ari Kermaier	Mar 30, 2007 9:03 am
Hal Lockhart	Apr 9, 2007 2:37 pm
Staggs, David (SAIC)	Apr 10, 2007 9:41 am	.doc
Ari Kermaier	Apr 12, 2007 11:13 am

Subject:	Re: Attribute Sharing Profile for X.509 Authentication-Based Systems (Draft-12)
From:	Tom Scavo (trsc...@gmail.com)
Date:	Mar 27, 2007 9:58:30 am
List:	org.oasis-open.lists.security-services

On 3/25/07, Tom Scavo <trsc...@gmail.com> wrote:

Draft-12 of the Attribute Sharing Profile has been uploaded to the archive:

http://www.oasis-open.org/apps/org/workgroup/security/download.php/23148/sstc-saml-x509-authn-attrib-profile-draft-12.odt http://www.oasis-open.org/apps/org/workgroup/security/download.php/23149/sstc-saml-x509-authn-attrib-profile-draft-12.pdf http://www.oasis-open.org/apps/org/workgroup/security/download.php/23150/sstc-saml-x509-authn-attrib-profile-draft-12-diff.pdf

There are still two "bugs" that I can see:

1. The <saml:Audience> requirement on lines 191--192 can only be met if the SP authenticates to the IdP, but the security characteristics of Basic Mode are mostly inherited from the Attribute Query/Request Profile, which does not mandate authenticated queries.

Okay, consensus on the call was that the IdP puts whatever identifier the SP provides into the <saml:Audience>. That's fine.

2. The metadata requirements in section 3.4 stipulate that if SAML metadata is used, query:AttributeQueryDescriptorType SHOULD be used, but since this type is the only such type available for use, it seems the normative language is too weak in this case.

I'm still not clear on how best to reword this. Scott, would you mind taking a crack at this? Here's how it stands now:

--------------------- The service provider and identity provider MAY use metadata in support of this deployment profile for locating endpoints, communicating key information, and so on. If SAML V2.0 metadata is used, the <md:AttributeAuthorityDescriptor> element defined by the SAML metadata specification [SAMLMeta] and the query:AttributeQueryDescriptorType complex type defined by the SAML metadata extension specification [SAMLMeta-Ext] SHOULD be used with this deployment profile.

Thanks, Tom

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets