[abfab] Comments on draft-ietf-abfab-aaa-saml-11

"Cantor, Scott" <cantor.2@osu.edu> Fri, 07 August 2015 14:58 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18AA01B2DDF for <abfab@ietfa.amsl.com>; Fri, 7 Aug 2015 07:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcS4Z9E9yId5 for <abfab@ietfa.amsl.com>; Fri, 7 Aug 2015 07:58:22 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0136.outbound.protection.outlook.com [207.46.100.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8FF1B2DDC for <abfab@ietf.org>; Fri, 7 Aug 2015 07:58:16 -0700 (PDT)
Received: from BY2FFO11FD009.protection.gbl (10.1.14.33) by BY2FFO11HUB009.protection.gbl (10.1.14.165) with Microsoft SMTP Server (TLS) id 15.1.243.9; Fri, 7 Aug 2015 14:58:14 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.216) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.216 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.216; helo=cio-tnc-pf02.osuad.osu.edu;
Received: from cio-tnc-pf02.osuad.osu.edu (164.107.81.216) by BY2FFO11FD009.mail.protection.outlook.com (10.1.14.73) with Microsoft SMTP Server (TLS) id 15.1.243.9 via Frontend Transport; Fri, 7 Aug 2015 14:58:14 +0000
Received: from CIO-TNC-HT06.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-tnc-pf02.osuad.osu.edu (Postfix) with ESMTPS id 4A75C20053 for <abfab@ietf.org>; Fri, 7 Aug 2015 10:58:13 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.03.0224.002; Fri, 7 Aug 2015 10:58:13 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: "abfab@ietf.org" <abfab@ietf.org>
Thread-Topic: Comments on draft-ietf-abfab-aaa-saml-11
Thread-Index: AQHQ0SF7of7mlEQFmE+WSlziI+4vfg==
Date: Fri, 7 Aug 2015 14:58:12 +0000
Message-ID: <75CEE38C-77DD-438B-BECD-6FF8ADB6826E@osu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.14.104]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3DCE8799AF72D64EB25D53738BDA8006@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD009; 1:famaV6de4+vLL4M6FP5C2LOG0mACn7xXWG3AbXHJbwh7JDlEoJh01Bnb1q+Sl/tV7ptCGl0Nw0ZknYAQMOvP9pmr/JPXbl7WEWBcDZcVynmudor/TRi/Go/2XmG3HgrfDvaDXAyM+lo5T+7ftm+R6Bm8h8Cv1tx8Cy2RFVtjZFmyzUUmLYU7x4EYMw0u2qWOzMDORZRa1zKq73xfAUat2umx9hokb+FCOnUxOxAlAVfTTsORtxsoAN+ScVt0m4hoLF9DaCuqd3L7nTMgTCeoWA==
X-Forefront-Antispam-Report: CIP:164.107.81.216; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(189002)(199003)(5003600100002)(54356999)(88552001)(2656002)(33656002)(36756003)(50466002)(46102003)(75432002)(102836002)(230783001)(2501003)(89122001)(110136002)(5250100002)(77156002)(229853001)(450100001)(92566002)(90282001)(189998001)(107886002)(2351001)(62966003)(82746002)(5001830100001)(64706001)(5001860100001)(47776003)(66066001)(4001540100001)(106466001)(109096001)(106116001)(50986999)(93346002)(87936001)(2900100001)(6806004)(83716003)(23676002)(86362001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB009; H:cio-tnc-pf02.osuad.osu.edu; FPR:; SPF:Pass; PTR:cio-tnc-pf02.osuad.osu.edu; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB009; 2:MHtI16X1Oile8O4VlB04hkcNydzJkpyh+dVbqdn3XmUwMtsKjtu2Dr9Q84PkMf13Tot9xnMA021n2mZpe3fX0Uc16qahgN0Ui6aH2uPfptJSdsXL5jO1obvO2E3ylc71/fgYex5sZaL0d0x3+MKDS2kLZvQbMON936odVO6UsQM=; 3:mCewBHujC0mLEdTIGlQ3a/vytoBBmGb1w9SLsaCM4tGB8gJexwznanQfXrCeRqplkV7IAwMmXAEarUdLomc15ftxVY2vsOJEU9Ch8S0gunKLG72ibMn56HBPquo7iAZmL6zfctK0E/EbPnQFKb58hDdrjz4uKjBZIVDrEERWk88XRKjVoYlMPCVpJwPBkopGmEsWafozavfWMOdOaBCEvdFR+ztWAD9UcAGv7WZKrJTXw/cYL+2vv2GMctev5W5l; 25:cYv+JhsNF4d7TtXLiznxqelWr7r1giXXfo6jYwVElV8YXj2+uJt9xCEMhBuDiYfdcTqZme3L1EwhF5dbkxI+TlMUi5K4AzJ0Y6WGhmTfirOm04BtPHqr3NC7ydO/ACdKpUfkkKYS9zJ/lEVsjs76OKtgOfdW+wNHq0/H1z/Xr7qg6wR82QJ2qW0OGVBveu/ful+AS2RTM4pYKjvmb9sE8GHTkgh43F+tXfRV9KIncBZ2wemh5/8Q8oRGJPDbrd+mS7+OYv6pY6jDQZWWAng34Q==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB009;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB009; 20:AGuvCyQaRPaMI9zfM06G7wnyoeIEnryX0Vd8W6Qg8d9+fi0Uq9xg9mhx0J3kBvVz9G7w/MzcZGSjO/0L1t/DJYkqsjTNLPdofknXq2/GJcXqf4xw86tjNEKPITxcCnOfaUTyySBUx8mHinJ65t/KQg/XZBxfXmJI2uVTuMbwU5m0FkVrnm6cVDj3kUsAPOdeKa9qNsEuJrCdzpBE9VO8FJ6alnlqkBT/Sbm+buOcHJ8m46c28lyoPqy9JxA8KV8O2Lb0uIqmsrAMkggSskt4EaUQBoln1/9e8WiwHcUFxvTzyJ4UHBDdS465mMlNnAkODOvu+RIkJ8Oi7GkVYwpXL0/5e1frYFe1OhdT8dtNGN1J2O1pY/UzDV3vdNPMpo+m8Z3/5T3bdW4FGW4ASOOThYuN1afAejwLxvTRDMj1HwPaWWgJs6W097E4R7X52MXgAd8YpczxrGjNpadhFL25QNtp5tqBlv6lSduneRaoQWj1SiGruDAhopfHlT20vQ+h; 4:ugi7I1/8LNmG67BUHzTYGLMMk64ET/Va6JRhcSNrNRrr2sMecWyW7daJlJ9QE7WmzSPrbiBPYhpHZGt+XJmKCdD+Co1yerMlAdNUhM27e7W0GigEMUIZzR3wBgdNJaKiagQCvEm8JAu9awWdQM3Z7Y77XTaRkGvnkAxQcWslJQ8vki1hiFKP2ifP1nLPA7yvV+Y7M+iPgPVgXi1AirvVYW3xzHDb/5Fx9vSrJL81FcrTO7wWQ9wldcBCIg3Cl660tm6SgXg6E0U7p/NCYZHdmwqtLlOtTYBf5l+GtqzGM7w=
X-Microsoft-Antispam-PRVS: <BY2FFO11HUB009FA720D69584F901290CAD0730@BY2FFO11HUB009.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2FFO11HUB009; BCL:0; PCL:0; RULEID:; SRVR:BY2FFO11HUB009;
X-Forefront-PRVS: 066153096A
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCWTJGRk8xMUhVQjAwOTsyMzpJWVh4RThOZGVERmoramxwaFYrRW5Jd3Uy?= =?utf-8?B?SFI1c0p1VlBCN3Yya2tGcGVWNUxJLzhQVXVNTDV1dURmc0dRMlQvdU9BeFRE?= =?utf-8?B?U0NZMU50QTdTZGtMQ3laN3pxMXFRYTFDSWtTNktPK3BtUDR1eW1MdmJhVzQr?= =?utf-8?B?c1FVelVkUHhJc0FERS9GSUJqTk9EakRRRXlSbG0wM2paVXZiaW5CNlVhVG1n?= =?utf-8?B?NzZqbjU2L1ZiYnNZQm5NMld4ZGhqMlB5aFRaUUNCK3JKWHBHL0xTTW13Z0Rj?= =?utf-8?B?S05nWjNrbS9EUDZqYnJhVnV3bTNPQkVKR1d4WGUrenZIaEgvLzJoVGFOZlZh?= =?utf-8?B?V295djRzUFVGK2d1aEkxalBsRFJtWm5IZ2dRV0dpdXMydGxTUU9VTWtGSVM4?= =?utf-8?B?UmlYQ3EvZndobXdlRGp4aGRwTUlBMkMyRmphalJzbmRqVHZjZlVnWmExaW1v?= =?utf-8?B?VXhrRGMwUC82UDB2cng3UWNPazNyREF0cWcrN2Y1ekEvczlKZU5qMnRBSlRn?= =?utf-8?B?eTBWSm10R3FCT2ovc29Fd2o1VThyRkpxMDY2My8zNzdnQlRucVEzUzJnTGtW?= =?utf-8?B?YUpTcG5xVU40UlpUZFhzcGQwdkdOTUR6dUZuK1l2eGhBRWg5WnRJZkVrZE5o?= =?utf-8?B?NWlxdUlWMUNyNjdDQUJUOEwwckErZ3RSMzduc2NRdEJpZTFlcVBwOUxoc3BD?= =?utf-8?B?WFUyL0VyVFBEVXN0cDA5bk9OcHFsZVVZaGFMcTZxRHV5eE9XSkRJdkFPZ1NV?= =?utf-8?B?WU9NMm41blI2ZXUrUkNyVWVUTEh3VDVjNHJsbzdTUVh1dUQ2Rk15TXVLbGRF?= =?utf-8?B?VTB4djdqU2ExcjJQM3AxV2RMZlpGWWQ5YWtDVkdkNTJDMXo0N0dFcU9QUG1S?= =?utf-8?B?YmxsVlcrUFkveFdud1V6bjFKaEhJU05ucmxnYjFuYjkrR2c3eUhaeUhYNlRw?= =?utf-8?B?ZWlaajh0ZExWYmxIRDFDdlpaQTJJMnpEakRaVXlMdExKbHZhK3JLNTh6alhj?= =?utf-8?B?UWE1MDROaVBlQlVjS1NIYkJzNGdqZ2xnZ2N4Zi9aWGdTZmFMVlNlOTFNdVln?= =?utf-8?B?dW5maDYyWStKT2Ruc3Q3b1E1OWl0UTJGOElxdGhUNHNTVGxoSGFBWnZVVk8v?= =?utf-8?B?Z2x6ZUxNSHBVZDEyWkRmVmV5ejFlRXBKb1dLV29RTkQ5YzE1UzRxbEY3QjlT?= =?utf-8?B?eEh2QVozZzYySjg3bENnU0RmdFJBQkY5WVd3RGpod2J6K1BXODAzRGZEWGVk?= =?utf-8?B?b3cyRGpxVHRsV0dCVldBQWJ3Y2FKd2ZxeDR5bDhKNXlhNDU2R0hvdnAwbzdl?= =?utf-8?B?UzVBcEdwcklRc2RHVWpPbk1HZE9MMU1RR0J6TzlnSkFWWXp2c1NiK0JMY3lQ?= =?utf-8?B?Ylo3Wng3bmU3bXVLRXdCNWhXNlZGdStBRTZWREhPTUlMVGRSaWdmRHhWSWZw?= =?utf-8?B?T2R5M21RSGJjV2paUGRPSktrMkltUUpZS0F2blE0dnArQTFnQThXYkUxVnFS?= =?utf-8?B?bVdNV1FNd3JodGp6N1MrQWVIQndsRlE5TEk1ZGlVekozRjlrRHpMZkc5L2lv?= =?utf-8?B?SjhHS1NJR3dDNjBOZmVrSjBoYzRZTGx6RlFDdExuaGh3VHFzTWRLV29xWjl0?= =?utf-8?B?NEFGc2VSNURKZ09CZm8zaVZ4cHpId0dsMTRQYVVlZlp6OTZrRm13VXh1dz09?=
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB009; 5:hoF7c7K2BvkZGX41XrU5PwIoPQi+SyGdtlfjMz7oseDr1XM4X2atEyzJE15w8124FFtr0MTcCdzitSIMVI1Ak15fKe+SHXh06GqKcaJGzTl0ix5xQobQdRksaQ+Khpd0Mo8hz0hQOzQFwJ0ibfb40g==; 24:Homqri1bdy0DCDbCFcLI91+BS1TBtekS1sNLxdNTuLt702fWS3yLyQ1MeyMLy0+Uqis5rCRH2NDUd13ezYvFWgIu28LYJWErTLLmKEgjhcg=
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Aug 2015 14:58:14.0459 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.216]; Helo=[cio-tnc-pf02.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2FFO11HUB009
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/KLXlBO6wGwER8ow6PA03c99AiNA>
Subject: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 14:58:24 -0000

Just a brief review primarily of section 4 and the metadata material.

4.3.2

I wouldn't denote "entityID" as <entityId> as that suggests an XML element by that name, which doesn't exist in SAML.

Apologies if it's covered elsewhere, but these bullets seems to lack specificity:



   o  RADIUS client identity in trusted digitally signed SAML request.


   o  RADIUS realm in trusted digitally signed SAML response or
      assertion.


How precisely is the RADIUS identity expressed in the SAML messages?

4.3.3

One thing missing is a definition of what to put in the protocolSupportEnumeration attribute for these roles. Presumably that would be some identifier representing whatever family of profiles this binding is intended to be used with. In SAML it's used to delineate SAML 1 and SAML 2 support. It's a required attribute on every RoleDescriptor, so something has to be in it.

4.3.4

One point is that in the XML examples shown, the various string-valued elements are shown with whitespace around the values. It would be unusual to normatively address the trimming question, but I don't know if you want the examples to actually encourage extra whitespace given that no matter what you say or do, some implementations inevitably won't trim. In fact, it's probably worth noting it if you need implementations to *not* trim, but I assume these elements by and large don't expect leading/trailing WS to be significant.

4.5

This text reads a bit oddly given that the previous section explicitly covers the metadata extensions defined. At minimum, it seems like maybe it should indicate that if metadata *is* used, those roles MUST be present?

-- Scott