fyi: draft-hodges-saml-mediatype-00
Jeff Hodges
Jeff.Hodges at Sun.COM
Thu Jun 17 02:56:03 CEST 2004
Abstract:
This document describes a MIME media type -- application/saml+xml
-- for use with the XML serialization of SAML (Security Assertion
Markup Language) assertions, or other SAML-defined objects.
I'm working on getting the below I-D up-to-snuff so it can be successfully
submitted (it isn't yet -- the new reqs in RFCs 3668 & 3667 were instituted as
of 9-Jun-2004 it seems). In the meantime, feedback on the below will be
appreciated.
thanks,
JeffH
------
Network Working Group J. Hodges
Internet-Draft Sun Microsystems, Inc.
Expires: December 12, 2004 June 13, 2004
application/saml+xml Media Type Registration
draft-hodges-saml-mediatype-00
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 12, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document describes a MIME media type -- application/saml+xml
-- for use with the XML serialization of SAML (Security Assertion
Markup Language) assertions, or other SAML-defined objects.
Hodges Expires December 12, 2004 [Page 1]
�
Internet-Draft application/saml+xml June 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Discussion of this Document . . . . . . . . . . . . . . . 3
1.2 Document Conventions . . . . . . . . . . . . . . . . . . . 4
2. Usage of the application/saml+xml MIME Media Type . . . . . . 4
3. application/saml+xml MIME Media Type Registration . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . . 6
Informative References . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . 10
Hodges Expires December 12, 2004 [Page 2]
�
Internet-Draft application/saml+xml June 2004
1. Introduction
This document defines a MIME media type -- application/saml+xml --
for use with the XML serialization of SAML (Security Assertion
Markup Language) assertions, or other SAML-defined objects.
The SAML specification sets, SAML V1.0 [5] and SAML V1.1 [9], are
work products of the OASIS [13] Security Services Technical
Committee (SSTC) [14]. The SAML specifications define XML-based
constructs with which one may make, and convey, security
assertions. For example, one can assert that an authentication
event pertaining to some subject has occured and convey said
assertion to a relying party.
1.1 Discussion of this Document
Please send comments on this document to the "security services
comment" email distribution list:
<mailto:security-services-comment at lists.oasis-open.org>
The "security services comment" mailing list is publically
archived here [15].
To post to the "security services comment" mailing list, one must
subscribe to it. To subscribe, send a message with the single
word "subscribe" in the message body, to:
<mailto:security-services-comment-request at lists.oasis-open.org>
Additionally, the SAML developer community email distribution
list:
<mailto:saml-dev at lists.oasis-open.org>
may be employed to discuss usage of the application/saml+xml MIME
media type.
The "saml-dev" mailing list is publically archived here [16].
To post to the "saml-dev" mailing list, one must subscribe to it.
To subscribe, send a message with the single word "subscribe" in
the message body, to:
<mailto:saml-dev-request at lists.oasis-open.org>
Hodges Expires December 12, 2004 [Page 3]
�
Internet-Draft application/saml+xml June 2004
1.2 Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in RFC 2119
[2].
2. Usage of the application/saml+xml MIME Media Type
Application protocols capable of conveying MIME entities, such as
HTTP [3], SHOULD use the media type defined in this document when
conveying SAML-defined objects.
3. application/saml+xml MIME Media Type Registration
This is a media type registration as defined in Multipurpose
Internet Mail Extensions (MIME) Part Four: Registration Procedures
[1] and XML Media Types [4].
MIME media type name:
application
MIME subtype name:
saml+xml
Required parameters:
none
Optional parameters: charset
Same as charset parameter of application/xml.
Encoding considerations:
Same as charset parameter of application/xml.
Security considerations:
Security considerations include many of those described in
section 10 of RFC 3023 [4] as well as those specifically
described in:
SAML V1.0 Assertions and Protocol [6]
SAML V1.0 Bindings and Profiles [7]
Hodges Expires December 12, 2004 [Page 4]
�
Internet-Draft application/saml+xml June 2004
SAML V1.0 Security and Privacy Considerations [8]
..and/or..
SAML V1.1 Assertions and Protocol [10]
SAML V1.1 Bindings and Profiles [11]
SAML V1.1 Security and Privacy Considerations [12] .
..depending on the version of the SAML object (see the next
item).
Interoperability considerations:
SAML assertions are explicitly versioned. Relying parties
SHOULD ensure that they observe assertion version
information and behave accordingly. See "Chapter 4 SAML
Versioning" in SAML V1.0 Assertions and Protocol [6], and/or
SAML V1.1 Assertions and Protocol [10], as appropriate.
Published specification:
See the SAML V1.0 [5] and SAML V1.1 [9] specification sets.
Applications which use this media type:
SAML is device-, platform-, and vendor-neutral and is
supported by a range of server- and client-side applications
and tools.
Additional information:
Magic number(s): none, but..
Although no byte sequences can be counted on to
consistently identify SAML objects, i.e. assertions and/
or protocol messages, they will contain either one, or
both of, the strings:
urn:oasis:names:tc:SAML:1.0:assertion
urn:oasis:names:tc:SAML:1.0:protocol
to identify the SAML XML namespace(s).
File extension(s):
Hodges Expires December 12, 2004 [Page 5]
�
Internet-Draft application/saml+xml June 2004
none
Macintosh File Type Code(s):
none
Person & email address to contact for further information:
Use the email distribution lists identified in Section 1.1
above.
Additionally, or otherwise, refer to the Security Services
Technical Committee website [14].
Intended usage:
COMMON
Author/Change controller:
The SAML specification sets are a work product of the OASIS
Security Services Technical Committee (SSTC). OASIS and the
SSTC have change control over the SAML specification sets.
4. IANA Considerations
This document calls for registration of a new MIME content-type,
according to the registration information given above in Section
3.
5. Security Considerations
See the "Security Considerations" item in Section 3 above.
6. Acknowledgements
This doc is based on Aaron Schwartz' internet-draft for the
application/rdf+xml MIME media type [18]. Thanks to Graham Klyne
for pointing me to the latter, to Scott Cantor and John Kemp for
volunteering me to write this, and to Marshall Rose for his
xml2rfc document converter gizmo [17]. Artists whose music
contributed to the writing of this spec ranged from John Coltrane
[19] to Trapt [20].
Normative References
[1] Freed, N., Klensin, J. and J. Postel, "Multipurpose Internet
Hodges Expires December 12, 2004 [Page 6]
�
Internet-Draft application/saml+xml June 2004
Mail Extensions (MIME) Part Four: Registration Procedures",
BCP 13, RFC 2048, November 1996.
[2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter,
L., Leach, P. and T. Berners-Lee, "Hypertext Transfer
Protocol -- HTTP/1.1", RFC 2616, June 1999.
[4] Murata, M., St. Laurent, S. and D. Kohn, "XML Media Types",
RFC 3023, January 2001.
[5] OASIS, "Security Assertion Markup Language (SAML) Version
1.0 Specification Set", OASIS Standard 200205, September
2003, <http://www.oasis-open.org/committees/download.php/
2290/oasis-sstc-saml-1.0.zip>.
[6] Hallam-Baker, P., Ed. and E. Maler, Ed., "Assertions and
Protocol for the OASIS Security Assertion Markup Language
(SAML) V1.0", OASIS Standard 200205, November 2002, <http://
www.oasis-open.org/apps/org/workgroup/security/download.php/
1371/oasis-sstc-saml-core-1.0.pdf>.
[7] Mishra, P., Ed., "Bindings and Profiles for the OASIS
Security Assertion Markup Language (SAML) V1.0", OASIS
Standard 200205, November 2002, <http://www.oasis-open.org/
apps/org/workgroup/security/download.php/1372/
oasis-sstc-saml-bindings-1.0.pdf>.
[8] McLaren, C., Ed., "Security and Privacy Considerations for
the OASIS Security Assertion Markup Language (SAML) V1.0",
OASIS Standard 200205, November 2002, <http://
www.oasis-open.org/apps/org/workgroup/security/download.php/
1375/oasis-sstc-saml-sec-consider-1.0.pdf>.
[9] OASIS, "Security Assertion Markup Language (SAML) Version
1.1 Specification Set", OASIS Standard 200308, September
2003, <http://www.oasis-open.org/committees/download.php/
3400/oasis-sstc-saml-1.1-pdf-xsd.zip>.
[10] Maler, E., Ed., Mishra, P., Ed. and R. Philpott, Ed.,
"Assertions and Protocol for the OASIS Security Assertion
Markup Language (SAML) V1.1", OASIS Standard 200308,
September 2003, <http://www.oasis-open.org/apps/org/
workgroup/security/download.php/3406/
oasis-sstc-saml-core-1.1.pdf>.
Hodges Expires December 12, 2004 [Page 7]
�
Internet-Draft application/saml+xml June 2004
[11] Maler, E., Ed., Mishra, P., Ed. and R. Philpott, Ed.,
"Bindings and Profiles for the OASIS Security Assertion
Markup Language (SAML) V1.1", OASIS Standard 200308,
September 2003, <http://www.oasis-open.org/apps/org/
workgroup/security/download.php/3405/
oasis-sstc-saml-bindings-1.1.pdf>.
[12] Maler, E., Ed. and R. Philpott, Ed., "Security and Privacy
Considerations for the OASIS Security Assertion Markup
Language (SAML) V1.1", OASIS Standard 200308, September
2003, <http://www.oasis-open.org/apps/org/workgroup/
security/download.php/3404/
oasis-sstc-saml-sec-consider-1.1.pdf>.
Informative References
[13] "Organization for the Advancement of Structured Information
Systems (OASIS)", <http://www.oasis-open.org/>.
[14] "Security Services Technical Committee (SSTC/SAML)", <http:/
/www.oasis-open.org/committees/security/>.
[15] "SSTC/SAML 'comment' Mailing List Archives", <http://
lists.oasis-open.org/archives/security-services-comment/>.
[16] "SSTC/SAML 'saml-dev' Mailing List Archives", <http://
lists.oasis-open.org/archives/saml-dev/>.
[17] "Marshall Rose's xml2rfc tool", <http://xml.resource.org>.
URIs
[18] <http://www.aaronsw.com/2002/
draft-w3c-rdfcore-rdfxml-mediatype-01>
[19] <http://www.johncoltrane.com/>
[20] <http://www.trapt.com/>
Hodges Expires December 12, 2004 [Page 8]
�
Internet-Draft application/saml+xml June 2004
Author's Address
Jeff Hodges
Sun Microsystems, Inc.
4220 Network Circle, Bldg 22, USCA22-212
Santa Clara, CA 95054
USA
Phone: +1 408.276.5467
EMail: Jeff.Hodges at sun.com
URI: http://www.sun.com/
Hodges Expires December 12, 2004 [Page 9]
�
Internet-Draft application/saml+xml June 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described
in this document or the extent to which any license under such
rights might or might not be available; neither does it represent
that it has made any effort to identify any such rights.
Information on the IETF's procedures with respect to rights in
standards-track and standards-related documentation can be found
in BCP-11. Copies of claims of rights made available for
publication and any assurances of licenses to be made available,
or the result of an attempt made to obtain a general license or
permission for the use of such proprietary rights by implementors
or users of this specification can be obtained from the IETF
Secretariat.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights which may cover technology that may be required
to practice this standard. Please address the information to the
IETF Executive Director.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to the
Internet Society or other Internet organizations, except as needed
for the purpose of developing Internet standards in which case the
procedures for copyrights defined in the Internet Standards
process must be followed, or as required to translate it into
languages other than English.
The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
Hodges Expires December 12, 2004 [Page 10]
�
Internet-Draft application/saml+xml June 2004
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Hodges Expires December 12, 2004 [Page 11]
�
More information about the Ietf-types
mailing list