[mdx] Small change proposed to draft-young-md-query-saml-07

[Cantor, Scott]

On 11/8/17, 5:41 PM, "Tom Scavo" <trscavo at gmail.com> wrote:

> If I said that, I lied, since the SourceID is 20 bytes by definition.

No, the SourceID of a type 2 is the URL, which I think you noted. The language in the spec treats it that way, or at least I think it does. I know my API does, rightly or wrongly, and has for a long time.

> I would say that's a problem. If you do that, how can a responder
> detect malformed identifiers with the {sha1} syntax?

By doing what we're more or less saying, treating it as an identifier that either matches something or doesn't. There's no such thing as malformed when it's simply a string that matches something the server knows about or not.

SAML itself does not allow us to fix the fundamental fact that a conflict is possible. The spec was broken from the first day it shipped in this area because they didn't care about scale, only small circles of trust. SHA-1 was the nod toward scale, but you can't avoid a conflict if you can have one type of artifact with a mix of SHA-1 and non-SHA-1 source IDs.

So if a server encounters metadata such that it would see the same SourceID apply to two different entities, that's a case it just has to deal with in its error handling on the back-end.
 
-- Scott