[mdx] Small change proposed to draft-young-md-query-saml-07
Tom Scavo
trscavo at gmail.com
Tue Nov 7 15:28:34 PST 2017
On Tue, Nov 7, 2017 at 9:42 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> That statement doesn't clarify anything for MDQ clients or responders.
>
> I disagree, obviously. Pointing out that a client could unknowingly send a value that isn't actually a hash of an entityID seems relevant.
The only thing that matters is what the responder does. If the client
uses the {SHA1} syntax, but the identifier is not in the responder's
list of hashed entityIDs, apparently you want to give the responder
the flexibility to return entity metadata if "the responder knows
best." That doesn't seem right to me.
Again, just to be clear, if the client were obliged to use a
{SourceID} syntax instead of the {SHA1} syntax, the spec could easily
be rewritten to accommodate that and we probably wouldn't be having
this conversation. OTOH, if we're going to stick with the {SHA1}
syntax (and yes, I understand why that is being proposed), then that
begs a literal interpretation of the syntax.
As a thought experiment, what if we wanted to support the SAML V1.1
Type 0x0002 Artifact? Knowing what we know now, would we define a
{URI} syntax or a {SourceLocation} syntax? (Hindsight is 20-20, I
know.)
>> The namespace prefix used in the metadata profile (saml1md:) makes the
>> intent fairly clear. If there's a corresponding profile for SAML2, I
>> don't know what it is. Can you give a reference please?
>
> The prefix is both non-normative and just a matter of XML machinery, and the SourceID notion is not unique to SAML 1. There's no reason not to apply it.
That would be a stretch since the corresponding namespace is:
urn:oasis:names:tc:SAML:profiles:v1metadata
I was there so you can't pull the wool over my eyes :-) but it doesn't
matter anyway since the SAML artifact protocol is, for all practical
purposes, deprecated. OIDC will make it even more irrelevant than it
already is. Why agonize over its use? Let's just require SHA-1 in the
MDQ protocol spec and be done with it.
Tom
More information about the mdx
mailing list