The part about X.509 attribute certificates looks fine, but
at least the SAML part still needs some work:
1) I think the document needs to discuss the security considerations
of bearer SAML assertions in more detail. While the countermeasures
described in 3.3.2 may help against passive eavesdroppers, they
still allow an active MiTM to "steal" the permission. This is IMHO
a significant difference to typical SAML usage with HTTP-over-TLS,
where the server is authenticated before the bearer assertion is
sent.
2) Section 3.3.2: "When SAMLAssertion is used, the field contains XML
constructs with a nested structure defined in [SAML1.1][SAML2.0]."
This needs to be much more specific than "some XML from these
documents". What element/elements? Is this an XML document
(with XML declaration etc.), or just a "fragment"? Which encoding?
And so on...
3) The document is last called for Proposed Standard, but contains
a normative reference to Informational RFC (RFC 2704). I'd
suggest removing the KeyNote stuff from this document (if someone
really wants to do KeyNote, it can be a separate document).
Minor editorial comments:
4) Section 2.3: the list type is "AuthorizationDataFormats" but
enum is spelled "AuthzDataFormat".
Best regards,
Pasi
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf