ietf
[Top] [All Lists]

Re: [abfab] Last Call: <draft-ietf-abfab-gss-eap-naming-05.txt> (Name Attributes for the GSS-API EAP mechanism) to Proposed Standard

2012-10-05 10:04:25
On 10/4/12 4:58 PM, "Sam Hartman" <hartmans(_at_)painless-security(_dot_)com> 
wrote:

Any advice from the SAML community on responding to the following
comment from Simon:

  If the value is not simple or is empty, then the raw value(s) of the
  GSS name attribute MUST be the well-formed serialization of the
  <saml:AttributeValue> element(s) encoded as UTF-8.  The "display"
  values are implementation-defined.

Question: what serialization is intended here?  An example here would
make this more clear.

I think that was my text, possibly. I just meant that it's the XML
representation of the element, but well-formed, meaning that you have to
make sure any namespaces are declared, etc. so that if a parser were to
parse that serialization, it would be well-formed XML.

Like, say, this:

<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
        FriendlyName="eduPersonTargetedID">
  <saml2:AttributeValue>
    <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                NameQualifier="https://idp.example.org/idp/shibboleth";
                SPNameQualifier="https://sp.example.org/shibboleth";>
        84e411ea-7daa-4a57-bbf6-b5cc52981b73
    </saml2:NameID>
  </saml2:AttributeValue>
</saml2:Attribute>

That's not a simple XML content model. So one such serialization is:

<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                NameQualifier="https://idp.example.org/idp/shibboleth";
                SPNameQualifier="https://sp.example.org/shibboleth";>
        84e411ea-7daa-4a57-bbf6-b5cc52981b73
    </saml2:NameID>
  </saml2:AttributeValue>

This is NOT the same as canonicalization of course. It's just well-formed
and is one of many possible serializations that would meet the requirement.



I suspect an example for the spec might be simpler. I just didn't have an
example of a complex value to hand, other than that case.

-- Scott