[mdx] Small change proposed to draft-young-md-query-saml-07
Tom Scavo
trscavo at gmail.com
Sun Nov 5 08:09:39 PST 2017
On Sat, Nov 4, 2017 at 10:21 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>
> ... To account for this, without introducing a new syntax that existing software in the field would need to support, we're proposing a small addition to the draft where the {SHA1} syntax is described, that accounts for the edge case where it happens to be a more arbitrary value.
I may not be interpreting the diff correctly but I think you're
basically saying that a client may use the {SHA1} syntax even if the
identifier that follows is not a SHA-1 hash (let alone the SHA-1 hash
of the entityID). Ugh. The MDQ protocol spec isn't even published yet
and it already has an inherent bug.
If we were starting from scratch, we would probably define a
{SourceID} syntax in the SAML profile, right?
> we note that not a single entity in all of EDUGAIN uses a non-hashed SourceID
The last time I checked, there were no <saml1md:SourceID> elements in
eduGAIN metadata. Assuming everyone is following the spec, this
implies that all entities that support the SAML1 artifact profile are
using the SHA-1 hash of their entityID as the SourceID. However, you
can't say the same thing about entities that support the SAML2
artifact profile. AFAIK, there is no such extension element for SAML2.
Tom
More information about the mdx
mailing list