Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11

Alejandro Pérez Méndez <alex@um.es> Sat, 08 August 2015 07:26 UTC

Return-Path: <alex@um.es>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A911ACEA7 for <abfab@ietfa.amsl.com>; Sat, 8 Aug 2015 00:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.311
X-Spam-Level:
X-Spam-Status: No, score=-3.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ymw-FeeX0Ed for <abfab@ietfa.amsl.com>; Sat, 8 Aug 2015 00:26:08 -0700 (PDT)
Received: from xenon22.um.es (xenon22.um.es [155.54.212.162]) by ietfa.amsl.com (Postfix) with ESMTP id 850701ACEBF for <abfab@ietf.org>; Sat, 8 Aug 2015 00:26:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon22.um.es (Postfix) with ESMTP id 6ABB22B68 for <abfab@ietf.org>; Sat, 8 Aug 2015 09:26:05 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon22.um.es
Received: from xenon22.um.es ([127.0.0.1]) by localhost (xenon22.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SJBem-+chtrs for <abfab@ietf.org>; Sat, 8 Aug 2015 09:26:05 +0200 (CEST)
Received: from [10.42.0.179] (84.121.18.25.dyn.user.ono.com [84.121.18.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: alex) by xenon22.um.es (Postfix) with ESMTPSA id 3CDEB1A40 for <abfab@ietf.org>; Sat, 8 Aug 2015 09:26:03 +0200 (CEST)
To: abfab@ietf.org
References: <75CEE38C-77DD-438B-BECD-6FF8ADB6826E@osu.edu>
From: =?UTF-8?Q?Alejandro_P=c3=a9rez_M=c3=a9ndez?= <alex@um.es>
Message-ID: <55C5AF0A.2060000@um.es>
Date: Sat, 8 Aug 2015 09:26:02 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <75CEE38C-77DD-438B-BECD-6FF8ADB6826E@osu.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/abfab/i2WFjgMA4Lum8ecoKPI9JsD_qYU>
Subject: Re: [abfab] Comments on draft-ietf-abfab-aaa-saml-11
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/abfab/>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2015 07:26:10 -0000

Hi Scott,

thanks for the quick review. See my comments inline.

El 07/08/15 a las 16:58, Cantor, Scott escribió:
> Just a brief review primarily of section 4 and the metadata material.
>
> 4.3.2
>
> I wouldn't denote "entityID" as <entityId> as that suggests an XML element by that name, which doesn't exist in SAML.

Right, I will remove it.

>
> Apologies if it's covered elsewhere, but these bullets seems to lack specificity:
>
>
>
>     o  RADIUS client identity in trusted digitally signed SAML request.
>
>
>     o  RADIUS realm in trusted digitally signed SAML response or
>        assertion.
>
>
> How precisely is the RADIUS identity expressed in the SAML messages?

Although it would be possible doing so, we agreed that this document 
would only provide a technical solution for representing the AAA name in 
trusted SAML metadata. If someone wanted to express them in SAML 
messages, he would need to define how this would be done.

I will state something like that at the beginning of section 4.3.3 to 
make it clear.

>
> 4.3.3
>
> One thing missing is a definition of what to put in the protocolSupportEnumeration attribute for these roles. Presumably that would be some identifier representing whatever family of profiles this binding is intended to be used with. In SAML it's used to delineate SAML 1 and SAML 2 support. It's a required attribute on every RoleDescriptor, so something has to be in it.

That confuses me. This attribute is already defined in the description 
of the RoleDescriptor type, and I thought that I did not need to provide 
further information. For instance, in the saml-metadata-2.0-os document, 
other subtypes of RoleDescriptor such as SSODescriptor or 
AttributeAuthorityDescriptor, or even subsubtypes such as 
IDPSSODescriptor, say nothing about the value of 
protocolSupportEnumeration. I just followed the same kind of description 
they do. In fact, in that document, the only place besides 
RoleDescriptor where protocolSupportEnumeration appears is in section 
"2.6 Examples", so I did include it in my examples.

Where do you suggest to include this kind of description? In the 
introductory text for each role? Why other subtypes of RoleDescriptor do 
not provide it?

>
> 4.3.4
>
> One point is that in the XML examples shown, the various string-valued elements are shown with whitespace around the values. It would be unusual to normatively address the trimming question, but I don't know if you want the examples to actually encourage extra whitespace given that no matter what you say or do, some implementations inevitably won't trim. In fact, it's probably worth noting it if you need implementations to *not* trim, but I assume these elements by and large don't expect leading/trailing WS to be significant.

You are right, I don't want the extra whitespaces to be included in the 
value of the element. What do you suggest?:
a) making the example look like this

              <RADIUSRealm>idp.com</RADIUSRealm>

or
b) using another type that has implicit trimming capabilities (if such 
thing exists)
For instance, I've seen that the localizedNameType extends xs:string, 
but it seems to have no problems with trimming.
This text is extracted from saml-metadata-2.0-os section 2.6:

<OrganizationDisplayName xml:lang="en">
     Identity Providers R US, a Division of Lerxst Corp.
</OrganizationDisplayName>

where OrganizationDisplayName is of type localizedNameType, and it is 
shown with whitespace around the values.
Does this subtype define anything special that implies trimming?

>
> 4.5
>
> This text reads a bit oddly given that the previous section explicitly covers the metadata extensions defined. At minimum, it seems like maybe it should indicate that if metadata *is* used, those roles MUST be present?

You're completely right. I will update the text.

Thanks!

-- Alejandro

>
> -- Scott
>
> _______________________________________________
> abfab mailing list
> abfab@ietf.org
> https://www.ietf.org/mailman/listinfo/abfab