RE: [TLS] Review of draft-housley-tls-authz-extns-05

<Pasi.Eronen@nokia.com> Mon, 05 June 2006 13:35 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnFF7-0004h5-KW; Mon, 05 Jun 2006 09:35:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnFEn-0004Nz-Kz for tls@ietf.org; Mon, 05 Jun 2006 09:35:21 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnDft-00060m-Ax for tls@ietf.org; Mon, 05 Jun 2006 07:55:13 -0400
Received: from mgw-ext11.nokia.com ([131.228.20.170]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FnDYq-0006La-BB for tls@ietf.org; Mon, 05 Jun 2006 07:47:56 -0400
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext11.nokia.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id k55BlrV4026524; Mon, 5 Jun 2006 14:47:55 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jun 2006 14:47:54 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jun 2006 14:47:54 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Review of draft-housley-tls-authz-extns-05
Date: Mon, 5 Jun 2006 14:47:56 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2402BC036F@esebe105.NOE.Nokia.com>
In-Reply-To: <046F43A8D79C794FA4733814869CDF070152A5E0@dul1wnexmb01.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Review of draft-housley-tls-authz-extns-05
Thread-Index: AcaHNX30nUMsvvFoShSwXEL/SDYhlgBRkQuwAASzKAAAAIvrIA==
From: <Pasi.Eronen@nokia.com>
To: <shollenbeck@verisign.com>, <hartmans-ietf@mit.edu>
X-OriginalArrivalTime: 05 Jun 2006 11:47:54.0355 (UTC) FILETIME=[E1A0BC30:01C68895]
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc: mark@redphonesecurity.com, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Scott Hollenbeck wrote:

> Section 5.1 of RFC 3470/BCP 70 includes relevant text.  In a
> nutshell, UTF-8 is a MUST if you're using XML.  UTF-16 is
> recommended since you get it for free with XML parsers, but it's not
> required.  An XML declaration is not needed if you're using either
> UTF-8 or UTF-16.  A byte order mark is required with UTF-16.  Other
> encodings are possible, but if something else is used it must be
> identified with an appropriate XML declaration.

Thanks for the pointer; it looks like Section 4.1 of the document 
is also relevant:

   In some uses of XML as an embedded protocol element, the XML used
   is a small fragment in a larger context, where the XML version is
   fixed at "1.0" and the character encoding is known to be "UTF-8".
   In those cases, an XML declaration might add extra overhead.  In
   cases where the XML is a larger component which may find its way
   alone as an external entity body (transported as a MIME message,
   for example), the XML declaration is an important marker and is
   useful for reliability and extensibility.  The XML declaration is
   also an important marker for character set/encoding (see Section
   5.1), if any encoding other than UTF-8 or UTF-16 is used.  Note
   that in the case of UTF-16, XML requires that the entity starts
   with a Byte Order Mark (BOM), which is not part of the character
   data.  Note that the XML Declaration itself is not part of the XML
   document's Information Set.

   Protocol specifications must be clear about use of XML
   declarations.  XML [8] notes that "XML documents should begin with
   an XML declaration which specifies the version of XML being used."
   In general, an XML declaration should be encouraged ("SHOULD be
   present") and must always be allowed ("MAY be sent").  An XML
   declaration should be required in cases where, if allowed, the
   character encoding is anything other than UTF-8 or UTF-16.  

Since the latter paragraph says that XML declaration must always be
allowed, the simplest approach would be to always require it here.
In other words, draft-housley-tls-authz-extns should say something
like this, right?

   "When SAMLAssertion is used, the field contains an XML text
   declaration, followed by an <Assertion> element using the
   AssertionType complex type as defined in [SAML1.1][SAML2.0]. 
   The field MUST also follow the rules of [XML] for including
   the Byte Order Mark (BOM) in encoded entities."

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls