Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11

"Cantor, Scott" <cantor.2@osu.edu> Sun, 09 August 2015 18:59 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A811B2EC0 for <abfab@ietfa.amsl.com>; Sun, 9 Aug 2015 11:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.699
X-Spam-Level: *
X-Spam-Status: No, score=1.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSQK2LMLtHNT for <abfab@ietfa.amsl.com>; Sun, 9 Aug 2015 11:59:50 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0101.outbound.protection.outlook.com [65.55.169.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 571F11B2EBD for <abfab@ietf.org>; Sun, 9 Aug 2015 11:59:50 -0700 (PDT)
Received: from BY2FFO11OLC003.protection.gbl (10.1.14.30) by BY2FFO11HUB042.protection.gbl (10.1.14.83) with Microsoft SMTP Server (TLS) id 15.1.243.9; Sun, 9 Aug 2015 18:59:48 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu;
Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BY2FFO11OLC003.mail.protection.outlook.com (10.1.15.183) with Microsoft SMTP Server (TLS) id 15.1.243.9 via Frontend Transport; Sun, 9 Aug 2015 18:59:47 +0000
Received: from CIO-KRC-HT02.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id CB61F500036; Sun, 9 Aug 2015 14:59:46 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.03.0224.002; Sun, 9 Aug 2015 14:59:46 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Alejandro Pérez Méndez <alex@um.es>, "abfab@ietf.org" <abfab@ietf.org>
Thread-Topic: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
Thread-Index: AQHQ0SF7of7mlEQFmE+WSlziI+4vfp4B98AAgAIRHwA=
Date: Sun, 09 Aug 2015 18:59:45 +0000
Message-ID: <0EB79B20-E2CE-451A-9139-CC581DFD28B7@osu.edu>
References: <75CEE38C-77DD-438B-BECD-6FF8ADB6826E@osu.edu> <55C5AF0A.2060000@um.es>
In-Reply-To: <55C5AF0A.2060000@um.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.14.120]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E538ED490789384A8C9D542B5312705B@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC003; 1:PnkU+DQEOnhAAegjOwIFUN3MthqU3aps7PqT/Qyg8vyJxcWhtTb9zu4z5g2sE6+BKjlCKc3BPHEMXfGXLCoS4C6Nphl4ocROixzxFcLfZkUS/t8/XARAVYJ/X3GXmheke8fH4g1tJ7H4Njt+uamJr2BVyKPmzWSX6lS3YuUr7+8aZdQ2qLfA7NVDVFC4FwrkKUaMqDYJuJF+JLyrDrFqg+KyMSvwnu1zCfaqjTy968NRpR+dFejvihaRNx1PAaLfInnwvVhbHD4JSK/F+j5fcDa4DoW9k8b0268hsfJAyfobhbUr4+ASqdpvuIHiZihG
X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(189002)(199003)(479174004)(24454002)(377454003)(90282001)(230783001)(6806004)(107886002)(66066001)(54356999)(4001540100001)(89122001)(75432002)(46102003)(109096001)(2900100001)(77156002)(5250100002)(86362001)(189998001)(36756003)(5001860100001)(64706001)(87936001)(5001770100001)(92566002)(2950100001)(47776003)(2501003)(19580405001)(5001830100001)(83716003)(50986999)(33656002)(5003600100002)(82746002)(19580395003)(102836002)(62966003)(2656002)(88552001)(106116001)(96286002)(23676002)(106466001)(93346002)(76176999)(50466002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB042; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; PTR:cio-krc-pf07.osuad.osu.edu; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 2:htfQWqIlXobtlIH1UTMjU2tk7EhKpcQAtR7WxXHN5GuuFFkg6/kTaUcxJ13dJQTcdRyF0I37RbH8xdY4qLvSxOK97H/DhjcFulhi+7vvzqBc0rjAma03j/xNgxLwRUergg+CjC44yd0PW1KZxZH6vZ8RkkeqGqBMCYC3U8TEuKo=; 3:gC4IRGUW5ckC0DUMH4MMkRz5ZlW07bEMa8KQ15+g0hX3cNCkdYfoJxMpC9FKZ2SrOznaJxGauDojJjIiO7IPCYUxWoqlQykpxVZOLWhfKiT1Bpt4SvFBdk8FI5FcRigi5pyWiTvLl2gLDqu4uf7wjfZl6n3y1MxXo+a3LVvYRG2SIsteLR8P8L79wMca3PdIhsS6ZByp2eqxO8NItc5PK3uvxz2rHIC59p35H0qEcgZuxCkNIeiSaep6FgE6D6EE; 25:Xj0Hdwm1D5r3labeTT77GHzj8uGG9fqEiJXgWxXWTb3WE8c7pIiJ892kfh2+q0qYRQ/0d6jf4upRrXY0L37SgtZZ1KBgezgkw+oC5SIDHwrQrlQ6xed7lJwASidMsJ02wxrjX5E6txl8Qsf3kwo1s9SteJYrBxJmaU6LnWt69U//nzS0kQY52pU5rZ5KE/jQp4P8h6By4EHFp6tkkJeQnzwCPQ6rCKfSxRcPGklrBvAExS1RPzksaucEn146JlJNqaBv9Gl9LBKbeuQqvLssQw==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB042;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 20:l/zkcsKi0f7MX/dpB1FNtJvL+5L9ZTDQkPX5h7CsSVYTvqwgVA0T3Sdfr0Lx3fHTVEpeWCam2zN0XZSNtYGbLiesRSVOzBL6taMU/+KOgJujqpIzfdTH00hzMuF+ShAFHWUT3/fyWLEgJq2NVum7nmG8ToS7OgLp3lWwbEDEwRmpSKLBGiGiBmbMdlTd9ik0JG7Ql6/BNtKSDnIqs7x8wVXy5nNHxTTCTfuayqcvrxogBnTh79GlZ9OWWkV6nRjsphFlr3QoDQ4eZJIpxJIHJuVw0gl5Sz3qCDfH9RwWmbEt3eSiavDLuA88vmkuAUHjZ1g71dpQ86lUf+X09Y/Y1fLFrXGdgt1Y++ITh+OWiwUSB7ZVOGPfhdP8+rpPmJUvOX0staPzLrEeBwxbEoxN2VLfiJpHcD5IIHfEO4pMM3Og8n8DYgBbPeoFmZFZNu2t6Wx1e1HR3Sag4ZaP2cVP/lXyL0t1hViL5ZMBowiQWEWOVUSCRv2M6/Z9oJEEpPac; 4:1DT+QWE+dE9z3M6pnSv3SGMdj0h6vNndWE8c2QWaRUzoB8FafutQOQMGNFaqUfH6drMyLWnU30ON0+IjrSirFTmY28HYhST/cPOZC5umLEy+wdpLjdUJ3sdoLOk4n8J44hPxNJmb8Ptfd7aQhBzHey8GgTwvNshG0U09Hu8PXmKbvHObg6Hj03XE/2XKJE/1JlR9yv8m6vQYePNCrGnr4BeRm64Wpvfubj6l96EzKaL+q7tkxHb4kJka1IiKe0Yjypl0ROyFNb6B4Y7p023cS9RL53QCyQbPLPcKyNwptbo=
X-Microsoft-Antispam-PRVS: <BY2FFO11HUB042CAD744106028E3CD59B7D0710@BY2FFO11HUB042.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2FFO11HUB042; BCL:0; PCL:0; RULEID:; SRVR:BY2FFO11HUB042;
X-Forefront-PRVS: 0663390E1B
X-Microsoft-Exchange-Diagnostics: 1;BY2FFO11HUB042;23:L7xlUHWg63AZavRzdaMKD8Tiaa0CCfTiNlLRvWivFpe/7rE79/hcJ7PAV2t2I8eatAC9T2x742mLaoeg/6oSda+H9hSg6abfpr0t4aCsnnZkRN0Yj+kmQa3Gm+oCBUHiArz6ASVj/6ckHhBazXUn5V7zT5e90S0KduH9wQjfdIj3lPBDe8mIGES0A0JrxwM2Xj/zh9i+JO+hY5dEMZik4Cs8VVifVWBU+/qclk3YztPZQjD9WYd7vV4gQXesfEWSzuF5f7pyFXBm1Lt0Gnbp/JDEfiV9yL4KD2T+Sjv9zwT3/RJqJJWoAnOTNxYVPRNohPw/TzlfTD+r35E85WeblMXzPMinu+H7O0JD5EB7OXmq5LNJ7rGzdlOMCu80z4QH0q3HnsMyEscLqRzn1wPZgWPSPPxH2r70vpEy5xpexsv8ttE+lhRm1TSdBZ1Ug9+BCp1OO1WH8dRyaux85oc6Qi6/ecFtU/I3sAkqogMVSe++itm74AWVNiDiVpySyEOPls97KQmAa6XiOlL/PsyWBH6RoTpf7h0QPBOwIKAbFEMEwfP030m+/Jw2LH3xAuuTmazS++DrurekE/RqMdMfrIHQlbCtllRlIsuB38LnxPm2k1Si8d2ZGxmATYBJEYFgwZR/ANZYw5H95z8xvwx0JQt7apo/kdU2uI6rYvz0+3Hgvvff2w4CPjSgJUExQRYZ94RNORv/B0t13qWaET/gLCKi1+fYxdAoHNI61tImOJ98m2Dx3jOxkiTb/YYzbdSVaRuxT3PBhvo+ztWUSFgO2cm7tbVRrCMOfQXka0Xt1oT7yXx176EWYiOcNgt+aKYEBJGGhRJDkZHtYYXbspGoEolLOSy/YhjR9BJlGQpDgbeh1f6X2aFzNW97yApMcPGxFupKFHFdv74yiX3UZ/8A/iHMWCOHvNd/0/bpn4+cCPhXF6R73hYWnL25/CmnzudQd31DSahOmbHFxIc2iaRvicbOW/wV6mNANyvPH/2u4wMaJDP0UEdWcQBOOpruDbnJozRBoQ33BL++OA8lmHRKAwCVW6asZ4r4eQAAgdui7ed1uXU+CmaocC95HFMXBvLsit2b4DgaKkI/29t3qIWh+M3hkwvin6T1Ejkqv4NxgD+gl6yc0wX1P0vgbjoTsJYtc17j3skctKCvJcy/3x3Wi48FjSSx1pYEyHKHBVhCdT9Y4oHW+JV4U3JOz8E246naaYPRoG0Mw8uBM6iFj38xFUtslpQqdRzx9+20GdA4oG5clFFjjpi6Ze0FRwxAzzaif/Zf9987UYmvmmGMdYnKWgvGfBZemDXT9JX6lKe71Pu2+BLE/eVq2NwxQ4gbGO9qBDylhbHtFK3bsgNDnUIucGwWitd9uTdYABnfrk9+cWM=
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 5:+nh2ZoaL/Su7k3yPeyINR87iPx1fkWahIRCiS7xvRb9WtK7FIJ/oSLoLZceOMl9FzMc0njVbeSjO4XUSxSxfkWxrtCOs6S85dYczxcmcLPg7UT0msi1fF/cEriF8aC6VdrQwvN0ilM+fBQklz8bU9g==; 24:y4hEADw6IKzveuD21Vn0SQKwNQj0ETunoOhGbLnK3lUim5+v+y56xtJobpltrwHuKPLZGOwtb8XVxNcWFz18ZcbQPcFfdbE9qfkkPQefz/U=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2015 18:59:47.9299 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2FFO11HUB042
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/Ow22_f2DgzVN9mhNbEVribDlSNU>
Subject: Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2015 18:59:52 -0000

On 8/8/15, 3:26 AM, "abfab on behalf of Alejandro Pérez Méndez" <abfab-bounces@ietf.org on behalf of alex@um.es> wrote:


>
>That confuses me. This attribute is already defined in the description of the RoleDescriptor type, and I thought that I did not need to provide further information. For instance, in the saml-metadata-2.0-os document, other subtypes of RoleDescriptor such as SSODescriptor or AttributeAuthorityDescriptor, or even subsubtypes such as IDPSSODescriptor, say nothing about the value of protocolSupportEnumeration. I just followed the same kind of description they do. In fact, in that document, the only place besides RoleDescriptor where protocolSupportEnumeration appears is in section "2.6 Examples", so I did include it in my examples.

It may be that the right value here is just "urn:oasis:names:tc:SAML:2.0:protocol", which is the one that's called out by default in the metadata spec for SAML 2.0 entities.

Since these roles were, I thought, more intended to describe RADIUS entities, that didn't seem entirely appropriate, but OTOH if these are RADIUS entities able to communicate SAML 2.0 messages, I don't know that it isn't appropriate either.

It doesn't matter that much in practice here because the purpose of the attribute is to distinguish a particular role type across multiple use cases (e.g. IDPSSODescriptor that might be SAML 2.0, SAML 1.1, WS-Federation, OpenID Connect, or all four).

If these roles are more or less singular in nature, then the value is probably academic, and leaving it defaulting to "urn:oasis:names:tc:SAML:2.0:protocol" is likely fine, but I'm just noting that that is in fact what would have to appear. If that doesn't seem good, something else would need to be defined.

>Where do you suggest to include this kind of description? In the 
>introductory text for each role? Why other subtypes of RoleDescriptor do 
>not provide it?

The default value is defined in the RoleDescriptor definition. If one was to specify a different default for a role type, it would make sense to define it within that role type's definition.

>You are right, I don't want the extra whitespaces to be included in the
>value of the element. What do you suggest?:

The simplest fix is just to change the examples.

>a) making the example look like this
>
>              <RADIUSRealm>idp.com</RADIUSRealm>
>
>or
>b) using another type that has implicit trimming capabilities (if such 
>thing exists)

No such thing exists, so it's a rathole to try and address it.

>For instance, I've seen that the localizedNameType extends xs:string, 
>but it seems to have no problems with trimming.

Everything based on string ends up with trimming issues sooner or later. Nothing has ever been done to address it.

>Does this subtype define anything special that implies trimming?

No. That approach to the examples is what I'm suggesting you avoid.

-- Scott