[mdx] new document: SAML Profile for the Metadata Query Protocol
Ian Young
ian at iay.org.uk
Thu Oct 17 07:56:41 PDT 2013
I have completed an initial draft of a layered "SAML Profile for the Metadata Query Protocol" as previously described.
You can find a text rendering of it here:
https://github.com/iay/md-query/blob/master/draft-young-md-query-saml.txt
I've uploaded the HTML temporarily here, in case that's a little easier to read:
http://dl.dropbox.com/u/236274/draft-young-md-query-saml.html
I'm fairly happy with the overall structure of this, although there is probably some more work to do on the detail. Doubtless there are plenty of typos, too.
* I've made it clear that this is a profile restricted to SAML entities using SAML metadata. If there is a need for other related profiles in the distant future (SAML entities using non-SAML metadata, non-SAML entities using SAML metadata) then we can write new profiles when we need them.
* I've used ABNF to be precise about what a SHA-1 transformed identifier must look like, and in particular about them being lower case. I think this is compatible with what we've previously discussed, just a bit more precise.
* If this works out, I intend to remove all mention of SHA-1 from the base document and re-describe the "{xxx}" construct as a generalised extension mechanism.
* I've included a detail description of requirements that both the SAML metadata spec and Scott's implementation impose on returned metadata (e.g., if it's a single entity being returned, it MUST be an EntityDescriptor and not an EntitiesDescriptor).
* Leif: I think that section also answers your issue #2; please confirm: https://github.com/iay/md-query/issues/2
* The Security Considerations is now much more specific about the integrity mechanism to use. I think there probably ought to be a reference to SAML2MetaIOP as part of that; suggestions welcome as to exactly how to phrase that.
* I've included a section about the security aspects of using SHA-1 in transformed identifiers as previously discussed.
Fairly full review is appropriate for this, as it's a new document. The intention, obviously, would be to submit this along with the next version of the core document when everything is stable again.
Enjoy,
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
URL: <http://lists.iay.org.uk/pipermail/mdx-iay.org.uk/attachments/20131017/d08803aa/smime.p7s>
More information about the mdx
mailing list