[TLS] Review of draft-housley-tls-authz-extns-05

<Pasi.Eronen@nokia.com> Tue, 23 May 2006 08:01 UTC

Received: from [] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiRp6-0002RH-MR; Tue, 23 May 2006 04:01:00 -0400
Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiRp4-0002R9-OV; Tue, 23 May 2006 04:00:58 -0400
Received: from mgw-ext11.nokia.com ([]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FiRp3-0001Or-AN; Tue, 23 May 2006 04:00:58 -0400
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com []) by mgw-ext11.nokia.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k4N80rGY027440; Tue, 23 May 2006 11:00:56 +0300
Received: from esebh104.NOE.Nokia.com ([]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 23 May 2006 11:00:56 +0300
Received: from esebe105.NOE.Nokia.com ([]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 23 May 2006 11:00:56 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 23 May 2006 11:00:52 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2402AE176A@esebe105.NOE.Nokia.com>
Thread-Topic: Review of draft-housley-tls-authz-extns-05
Thread-Index: AcZ+PwMNZPkennagT/SoqPhXKQtzFg==
From: <Pasi.Eronen@nokia.com>
To: <ietf@ietf.org>
X-OriginalArrivalTime: 23 May 2006 08:00:56.0037 (UTC) FILETIME=[051B9150:01C67E3F]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Cc: tls@ietf.org
Subject: [TLS] Review of draft-housley-tls-authz-extns-05
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

The part about X.509 attribute certificates looks fine, but
at least the SAML part still needs some work:

1) I think the document needs to discuss the security considerations
   of bearer SAML assertions in more detail. While the countermeasures
   described in 3.3.2 may help against passive eavesdroppers, they 
   still allow an active MiTM to "steal" the permission. This is IMHO 
   a significant difference to typical SAML usage with HTTP-over-TLS,
   where the server is authenticated before the bearer assertion is

2) Section 3.3.2: "When SAMLAssertion is used, the field contains XML 
   constructs with a nested structure defined in [SAML1.1][SAML2.0]."
   This needs to be much more specific than "some XML from these 
   documents". What element/elements? Is this an XML document
   (with XML declaration etc.), or just a "fragment"? Which encoding? 
   And so on...

3) The document is last called for Proposed Standard, but contains
   a normative reference to Informational RFC (RFC 2704). I'd 
   suggest removing the KeyNote stuff from this document (if someone
   really wants to do KeyNote, it can be a separate document).

Minor editorial comments:

4) Section 2.3: the list type is "AuthorizationDataFormats" but
   enum is spelled "AuthzDataFormat".

Best regards,

TLS mailing list