Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11

"Cantor, Scott" <cantor.2@osu.edu> Sun, 09 August 2015 18:59 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A811B2EC0 for <abfab@ietfa.amsl.com>; Sun, 9 Aug 2015 11:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.699
X-Spam-Level: *
X-Spam-Status: No, score=1.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSQK2LMLtHNT for <abfab@ietfa.amsl.com>; Sun, 9 Aug 2015 11:59:50 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0101.outbound.protection.outlook.com [65.55.169.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 571F11B2EBD for <abfab@ietf.org>; Sun, 9 Aug 2015 11:59:50 -0700 (PDT)
Received: from BY2FFO11OLC003.protection.gbl (10.1.14.30) by BY2FFO11HUB042.protection.gbl (10.1.14.83) with Microsoft SMTP Server (TLS) id 15.1.243.9; Sun, 9 Aug 2015 18:59:48 +0000
Authentication-Results: spf=pass (sender IP is 164.107.81.214) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 164.107.81.214 as permitted sender) receiver=protection.outlook.com; client-ip=164.107.81.214; helo=cio-krc-pf07.osuad.osu.edu;
Received: from cio-krc-pf07.osuad.osu.edu (164.107.81.214) by BY2FFO11OLC003.mail.protection.outlook.com (10.1.15.183) with Microsoft SMTP Server (TLS) id 15.1.243.9 via Frontend Transport; Sun, 9 Aug 2015 18:59:47 +0000
Received: from CIO-KRC-HT02.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by cio-krc-pf07.osuad.osu.edu (Postfix) with ESMTPS id CB61F500036; Sun, 9 Aug 2015 14:59:46 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.03.0224.002; Sun, 9 Aug 2015 14:59:46 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: =?utf-8?B?QWxlamFuZHJvIFDDqXJleiBNw6luZGV6?= <alex@um.es>, "abfab@ietf.org" <abfab@ietf.org>
Thread-Topic: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
Thread-Index: AQHQ0SF7of7mlEQFmE+WSlziI+4vfp4B98AAgAIRHwA=
Date: Sun, 9 Aug 2015 18:59:45 +0000
Message-ID: <0EB79B20-E2CE-451A-9139-CC581DFD28B7@osu.edu>
References: <75CEE38C-77DD-438B-BECD-6FF8ADB6826E@osu.edu> <55C5AF0A.2060000@um.es>
In-Reply-To: <55C5AF0A.2060000@um.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.14.120]
Content-Type: text/plain; charset="utf-8"
Content-ID: <E538ED490789384A8C9D542B5312705B@osu.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC003; 1:PnkU+DQEOnhAAegjOwIFUN3MthqU3aps7PqT/Qyg8vyJxcWhtTb9zu4z5g2sE6+BKjlCKc3BPHEMXfGXLCoS4C6Nphl4ocROixzxFcLfZkUS/t8/XARAVYJ/X3GXmheke8fH4g1tJ7H4Njt+uamJr2BVyKPmzWSX6lS3YuUr7+8aZdQ2qLfA7NVDVFC4FwrkKUaMqDYJuJF+JLyrDrFqg+KyMSvwnu1zCfaqjTy968NRpR+dFejvihaRNx1PAaLfInnwvVhbHD4JSK/F+j5fcDa4DoW9k8b0268hsfJAyfobhbUr4+ASqdpvuIHiZihG
X-Forefront-Antispam-Report: CIP:164.107.81.214; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(2980300002)(438002)(189002)(199003)(479174004)(24454002)(377454003)(90282001)(230783001)(6806004)(107886002)(66066001)(54356999)(4001540100001)(89122001)(75432002)(46102003)(109096001)(2900100001)(77156002)(5250100002)(86362001)(189998001)(36756003)(5001860100001)(64706001)(87936001)(5001770100001)(92566002)(2950100001)(47776003)(2501003)(19580405001)(5001830100001)(83716003)(50986999)(33656002)(5003600100002)(82746002)(19580395003)(102836002)(62966003)(2656002)(88552001)(106116001)(96286002)(23676002)(106466001)(93346002)(76176999)(50466002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB042; H:cio-krc-pf07.osuad.osu.edu; FPR:; SPF:Pass; PTR:cio-krc-pf07.osuad.osu.edu; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 2:htfQWqIlXobtlIH1UTMjU2tk7EhKpcQAtR7WxXHN5GuuFFkg6/kTaUcxJ13dJQTcdRyF0I37RbH8xdY4qLvSxOK97H/DhjcFulhi+7vvzqBc0rjAma03j/xNgxLwRUergg+CjC44yd0PW1KZxZH6vZ8RkkeqGqBMCYC3U8TEuKo=; 3:gC4IRGUW5ckC0DUMH4MMkRz5ZlW07bEMa8KQ15+g0hX3cNCkdYfoJxMpC9FKZ2SrOznaJxGauDojJjIiO7IPCYUxWoqlQykpxVZOLWhfKiT1Bpt4SvFBdk8FI5FcRigi5pyWiTvLl2gLDqu4uf7wjfZl6n3y1MxXo+a3LVvYRG2SIsteLR8P8L79wMca3PdIhsS6ZByp2eqxO8NItc5PK3uvxz2rHIC59p35H0qEcgZuxCkNIeiSaep6FgE6D6EE; 25:Xj0Hdwm1D5r3labeTT77GHzj8uGG9fqEiJXgWxXWTb3WE8c7pIiJ892kfh2+q0qYRQ/0d6jf4upRrXY0L37SgtZZ1KBgezgkw+oC5SIDHwrQrlQ6xed7lJwASidMsJ02wxrjX5E6txl8Qsf3kwo1s9SteJYrBxJmaU6LnWt69U//nzS0kQY52pU5rZ5KE/jQp4P8h6By4EHFp6tkkJeQnzwCPQ6rCKfSxRcPGklrBvAExS1RPzksaucEn146JlJNqaBv9Gl9LBKbeuQqvLssQw==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB042;
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 20:l/zkcsKi0f7MX/dpB1FNtJvL+5L9ZTDQkPX5h7CsSVYTvqwgVA0T3Sdfr0Lx3fHTVEpeWCam2zN0XZSNtYGbLiesRSVOzBL6taMU/+KOgJujqpIzfdTH00hzMuF+ShAFHWUT3/fyWLEgJq2NVum7nmG8ToS7OgLp3lWwbEDEwRmpSKLBGiGiBmbMdlTd9ik0JG7Ql6/BNtKSDnIqs7x8wVXy5nNHxTTCTfuayqcvrxogBnTh79GlZ9OWWkV6nRjsphFlr3QoDQ4eZJIpxJIHJuVw0gl5Sz3qCDfH9RwWmbEt3eSiavDLuA88vmkuAUHjZ1g71dpQ86lUf+X09Y/Y1fLFrXGdgt1Y++ITh+OWiwUSB7ZVOGPfhdP8+rpPmJUvOX0staPzLrEeBwxbEoxN2VLfiJpHcD5IIHfEO4pMM3Og8n8DYgBbPeoFmZFZNu2t6Wx1e1HR3Sag4ZaP2cVP/lXyL0t1hViL5ZMBowiQWEWOVUSCRv2M6/Z9oJEEpPac; 4:1DT+QWE+dE9z3M6pnSv3SGMdj0h6vNndWE8c2QWaRUzoB8FafutQOQMGNFaqUfH6drMyLWnU30ON0+IjrSirFTmY28HYhST/cPOZC5umLEy+wdpLjdUJ3sdoLOk4n8J44hPxNJmb8Ptfd7aQhBzHey8GgTwvNshG0U09Hu8PXmKbvHObg6Hj03XE/2XKJE/1JlR9yv8m6vQYePNCrGnr4BeRm64Wpvfubj6l96EzKaL+q7tkxHb4kJka1IiKe0Yjypl0ROyFNb6B4Y7p023cS9RL53QCyQbPLPcKyNwptbo=
X-Microsoft-Antispam-PRVS: <BY2FFO11HUB042CAD744106028E3CD59B7D0710@BY2FFO11HUB042.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2FFO11HUB042; BCL:0; PCL:0; RULEID:; SRVR:BY2FFO11HUB042;
X-Forefront-PRVS: 0663390E1B
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCWTJGRk8xMUhVQjA0MjsyMzpMN3hsVUhXZzYzQVphdlJ6ZGFNS0Q4VGlh?= =?utf-8?B?YTBDQ2ZUaU5sTFJ2V2l2RnBlLzdyRTc5L2hjSjdQQVYydDJJOGVhdEFDOVQy?= =?utf-8?B?eDc0Mm1MYW9lZy82b1NkYStIOWhTZzZhYmZwcjB0NGFDc25uWmtSTjBZaitr?= =?utf-8?B?bVFhM0dtK29DQlVIaUFyejZBU1ZqLzZja0hoQmF6WFVuNVY3elQ1ZTkwUzBL?= =?utf-8?B?ZHVIOXdRamZkSWozbFBCRGU4bUlHRVMwQTBKcnh3TTJYai96aDlpK0pPK2hZ?= =?utf-8?B?NWRFTVppazRDczhWVmlmVldCVSsvcWNsazNZenRQWlFqRDlXWWQ3dlY0Z1FY?= =?utf-8?B?ZXNmRVdTenVGNWY3cHlGWEJtMUx0MEduYnAvSkRFZmlWOXlMNEtEMlQrU2p2?= =?utf-8?B?OXp3VDMvUkpxSkpXb0FuT1ROeFlWUFJOb2hQdy9UemxmVEQrcjM1RTg1V2Vi?= =?utf-8?B?bE1YelBNaW51K0g3TzBKRDVFQjdPWG1xNUxOSjdyR3pkbE9NQ3U4MHo0UUgw?= =?utf-8?B?cTNIbnNNeUVzY0xxUnpuMXdQWmdXUFNQUHhIMnI3MHZwRXk1eHBleHN2OHR0?= =?utf-8?B?RStsaFJtMVRTZEJaMVVnOStCQ3AxT08xV0g4ZFJ5YXV4ODVvYzZRaTYvZWNG?= =?utf-8?B?dFUvSTNzQWtxb2dNVlNlKytpdG03NEFXVk5pRGlWcHlTeUVPUGxzOTdLUW1B?= =?utf-8?B?YTZYaU9sTC9Qc3lXQkg2Um9UcGY3aDBRUEJPd0lLQWJGRU1Fd2ZQMDMwbSsv?= =?utf-8?B?SncyTEgzeEF1dVRtYXpTKytEcnVyZWtFL1JxTWRNZnJJSFFsYkN0bGxSbElz?= =?utf-8?B?dUIzOExueFBtMmsxU2k4ZDJaR3htQVRZQkpFWUZnd1pSL0FOWll3NUg5NXo4?= =?utf-8?B?eHZ3eDBKUXQ3YXBvL2tkVTJ1STZyWXZ6MCszSGd2dmZmMnc0Q1BqU2dKVUV4?= =?utf-8?B?UVJZWjk0Uk5PUnYvQjB0MTNxV2FFVC9nTENLaTErZll4ZEFvSE5JNjF0SW1P?= =?utf-8?B?Sjk4bTJEeDNqT3hraVRiL1lZemJkU1ZhUnV4VDNQQmh2byt6dFdVU0ZnTzJj?= =?utf-8?B?bTd0YlZSckNNT2ZRWGthMFh0MW9UN3lYeDE3NkVXWWlPY05ndCthS1lFQkpH?= =?utf-8?B?R2hSSkRrWkh0WVlYYnNwR29Fb2xMT1N5L1loalI5QkpsR1FwRGdiZWgxZjZY?= =?utf-8?B?MmFGek5XOTd5QXBNY1BHeEZ1cEtGSEZkdjc0eWlYM1VaLzhBL2lITVdDT0h2?= =?utf-8?B?TmQvMC9icG40K2NDUGhYRjZSNzNoWVduTDI1L0Ntbnp1ZFFkMzFEU2FoT21i?= =?utf-8?B?SEZ4SWMyaWFSdmljYk9XL3dWNm1OQU55dlBILzJ1NHdNYUpEUDBVRWRXY1FC?= =?utf-8?B?T09wcnVEYm5Kb3pSQm9RMzNCTCsrT0E4bG1IUktBd0NWVzZhc1o0cjRlUUFB?= =?utf-8?B?Z2R1aTdlZDF1WFUrQ21hb2NDOTVIRk1YQnZMc2l0MmI0RGdhS2tJLzI5dDNx?= =?utf-8?B?SVdoK00zaGt3dmluNlQxRWprcXY0TnhnRCtnbDZ5YzB3WDFQMHZnYmpvVHNK?= =?utf-8?B?WXRjMTdqM3NrY3RLQ3ZKY3kvM3gzV2k0OEZqU1N4MXBZRXlIS0hCVmhDZFQ5?= =?utf-8?B?WTRvSFcrSlY0VTNKT3o4RTI0Nm5hYVlQUm9HME13OHVCTTZpRmozOHhGVXRz?= =?utf-8?B?bHBRcWRSeng5KzIwR2RBNG9HNWNsRkZqanBpNlplMEZSd3hBenphaWYvWmY5?= =?utf-8?B?OTg3VVltdm1tR01kWW5LV2d2R2ZCWmVtRFhUOUpYNmxLZTcxUHUyK0JMRS9l?= =?utf-8?B?VnEyTnd4UTRnYkdPOXFCRHlsaGJIdEZLM2JzZ05EblVJdWNHd1dpdGQ5dVRk?= =?utf-8?Q?YABnfrk9+cWM=3D?=
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11HUB042; 5:+nh2ZoaL/Su7k3yPeyINR87iPx1fkWahIRCiS7xvRb9WtK7FIJ/oSLoLZceOMl9FzMc0njVbeSjO4XUSxSxfkWxrtCOs6S85dYczxcmcLPg7UT0msi1fF/cEriF8aC6VdrQwvN0ilM+fBQklz8bU9g==; 24:y4hEADw6IKzveuD21Vn0SQKwNQj0ETunoOhGbLnK3lUim5+v+y56xtJobpltrwHuKPLZGOwtb8XVxNcWFz18ZcbQPcFfdbE9qfkkPQefz/U=
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2015 18:59:47.9299 (UTC)
X-MS-Exchange-CrossTenant-Id: b4d138ca-1815-4a9b-a3a7-130a33b1e692
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b4d138ca-1815-4a9b-a3a7-130a33b1e692; Ip=[164.107.81.214]; Helo=[cio-krc-pf07.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2FFO11HUB042
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/Ow22_f2DgzVN9mhNbEVribDlSNU>
Subject: Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2015 18:59:52 -0000

On 8/8/15, 3:26 AM, "abfab on behalf of Alejandro Pérez Méndez" <abfab-bounces@ietf.org on behalf of alex@um.es> wrote:


>
>That confuses me. This attribute is already defined in the description of the RoleDescriptor type, and I thought that I did not need to provide further information. For instance, in the saml-metadata-2.0-os document, other subtypes of RoleDescriptor such as SSODescriptor or AttributeAuthorityDescriptor, or even subsubtypes such as IDPSSODescriptor, say nothing about the value of protocolSupportEnumeration. I just followed the same kind of description they do. In fact, in that document, the only place besides RoleDescriptor where protocolSupportEnumeration appears is in section "2.6 Examples", so I did include it in my examples.

It may be that the right value here is just "urn:oasis:names:tc:SAML:2.0:protocol", which is the one that's called out by default in the metadata spec for SAML 2.0 entities.

Since these roles were, I thought, more intended to describe RADIUS entities, that didn't seem entirely appropriate, but OTOH if these are RADIUS entities able to communicate SAML 2.0 messages, I don't know that it isn't appropriate either.

It doesn't matter that much in practice here because the purpose of the attribute is to distinguish a particular role type across multiple use cases (e.g. IDPSSODescriptor that might be SAML 2.0, SAML 1.1, WS-Federation, OpenID Connect, or all four).

If these roles are more or less singular in nature, then the value is probably academic, and leaving it defaulting to "urn:oasis:names:tc:SAML:2.0:protocol" is likely fine, but I'm just noting that that is in fact what would have to appear. If that doesn't seem good, something else would need to be defined.

>Where do you suggest to include this kind of description? In the 
>introductory text for each role? Why other subtypes of RoleDescriptor do 
>not provide it?

The default value is defined in the RoleDescriptor definition. If one was to specify a different default for a role type, it would make sense to define it within that role type's definition.

>You are right, I don't want the extra whitespaces to be included in the
>value of the element. What do you suggest?:

The simplest fix is just to change the examples.

>a) making the example look like this
>
>              <RADIUSRealm>idp.com</RADIUSRealm>
>
>or
>b) using another type that has implicit trimming capabilities (if such 
>thing exists)

No such thing exists, so it's a rathole to try and address it.

>For instance, I've seen that the localizedNameType extends xs:string, 
>but it seems to have no problems with trimming.

Everything based on string ends up with trimming issues sooner or later. Nothing has ever been done to address it.

>Does this subtype define anything special that implies trimming?

No. That approach to the examples is what I'm suggesting you avoid.

-- Scott