for review: draft -01 of application/samlmetadata+xml registration

Jeff.Hodges at KingsMountain.com Jeff.Hodges at KingsMountain.com
Mon Sep 20 21:42:46 CEST 2004


  Registration of MIME media type application/samlmetadata+xml

<@@NOTE: This document is:

sstc-saml-2.0-application-samlmetadata-registration-01
Jeff Hodges <Jeff.Hodges at Sun.com>
20-Sep-2004

This document is intended to be included in
sstc-saml-metadata-2.0-cd-02 (ie the next time [SAMLv2Meta] is
rev'd), as an appendix.

Please see http://www.w3.org/2002/06/registering-mediatype.html
for an overview of the intricities involved when a non-IETF organization
registers a MIME media type in the "standards tree" (aka "IETF
tree").

The below registration material is intended to satisfy the
requirements stated in draft-freed-media-type-reg-01.txt (which
superseded draft-freed-mime-p4-04.txt).

This "NOTE" is intended to be removed upon copying this document's
content into [SAMLv2Meta].

Acknowledgments: Thanks to Ned Freed, Larry Masinter, Graham Klyne,
and Chris Lilley for their comments on prior drafts of this
registration. The security considerations section leverages that of
http://www.iana.org/assignments/media-types/application/vnd.paos+xml,
by John Kemp.
>


To: ietf-types at iana.org
Subject: Registration of MIME media type application/samlmetadata+xml

Introduction
     This document defines a MIME media type --
     application/samlmetadata+xml -- for use with the XML
     serialization of Security Assertion Markup Language metadata.

     SAML is a work product of the OASIS Security Services Technical
     Committee [SSTC]. The SAML specifications define XML-based
     constructs with which one may make, and convey, security
     assertions. Using SAML, one can assert that an authentication
     event pertaining to some subject has occurred and convey said
     assertion to a relying party, for example.

     SAML profiles require agreements between system entities
     regarding identifiers, binding support, endpoints,
     certificates, keys, and so forth. Such information is treated
     as metadata by SAML v2.0. [SAMLv2Meta] specifies this metadata,
     as well as specifying metadata publication and resolution
     mechanisms. If the publishing protocol permits MIME-based
     identification of content types, then use of the
     application/samlmetadata+xml MIME media type is required.

MIME media type name: application

MIME subtype name: samlmetadata+xml

Required parameters: none

Optional parameters: charset
     Same as charset parameter of application/xml [RFC3023].

Encoding considerations:
     Same as for application/xml [RFC3023].

Security considerations:
     Per their specification, samlmetadata+xml typed objects do not
     contain executable content. However, these objects are
     XML-based [XML], and thus they have all of the general security
     considerations presented in section 10 of [RFC3023].

     SAML metadata [SAMLv2Meta] contains information whose integrity
     and authenticity is important – identity provider and service
     provider public keys and endpoint addresses, for example.

     To counter potential issues, the publisher may sign
     samlmetadata+xml typed objects. Any such signature should be
     verified by the recipient of the data - both as a valid
     signature, and as being the signature of the publisher.

     Additionally, various of the publication protocols, e.g.
     HTTP-over-TLS/SSL, offer means for ensuring the authenticity of
     the publishing party and for protecting the metadata in
     transit. [SAMLv2Meta] also defines prescriptive metadata
     caching directives, as well as guidance on handling HTTPS
     redirects, trust processing, server authentication, and related
     items.

     For a more detailed discussion of SAML v2.0 metadata and its
     security considerations, please see [SAMLv2Meta]. For a
     discussion of overall SAML v2.0 security considerations and
     specific security-related design features, please refer to the
     SAML v2.0 specifications listed in the below bibliography. The
     specifications containing security-specific information are
     explicitly listed.

Interoperability considerations:
     SAML v2.0 metadata explicitly supports identifying the
     protocols and versions supported by the identified entities.
     For example, an identity provider entity can be denoted as
     supporting SAML v2.0, SAML v1.1 [SAMLv1.1], Liberty ID-FF 1.2
     [LAPFF], or even other protocols if they are unambiguously
     identifiable via URI [RFC2396]. This protocol support 
     information is conveyed via the protocolSupportEnumeration
     attribute of metadata objects of the RoleDescriptorType.

Published specification:
     [SAMLv2Meta] explicitly specifies use of the
     application/samlmetadata+xml MIME media type.

Applications which use this media type:
     Potentially any application implementing SAML v2.0, as well as
     those applications implementing specifications based on SAML,
     e.g. those available from the Liberty Alliance [LAP].

Additional information:

     Magic number(s):
          In general, the same as for application/xml [RFC3023]. In 
          particular, the XML root element of the returned object
          will be one of <EntityDescriptor>,
          <AffiliationDescriptor>, or <EntitiesDescriptor>, and will
          be in the SAMLv2.0 metadata namespace:

               urn:oasis:names:tc:SAML:2.0:metadata

     File extension(s): none
     Macintosh File Type Code(s): none

Person & email address to contact for further information:
     This registration is made on behalf of the OASIS Security
     Services Technical Committee (SSTC) Please refer to the SSTC
     website for current information on committee chairperson(s) and
     their contact addresses:
     http://www.oasis-open.org/committees/security/. Committee
     members should submit comments and potential errata to the
     securityservices at lists.oasis-open.org list. Others should 
     submit them by filling out the web form located at
     http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=

     Additionally, the SAML developer community email distribution
     list, saml-dev at lists.oasis-open.org, may be employed to discuss
     usage of the application/samlmetadata+xml MIME media type. The
     "saml-dev" mailing list is publicly archived here:
     http://lists.oasis-open.org/archives/saml-dev/. To post to the 
     "saml-dev" mailing list, one must subscribe to it. To
     subscribe, send a message with the single word "subscribe" in
     the message body, to: saml-dev-request at lists.oasis-open.org.

Intended usage: COMMON

Author/Change controller:
     The SAML specification sets are a work product of the OASIS
     Security Services Technical Committee (SSTC). OASIS and the
     SSTC have change control over the SAML specification sets.

Bibliography

     [LAP]          "Liberty Alliance Project". See
                    http://www.projectliberty.org/
                    
     [LAPFF]        Liberty Alliance Project: Federation Framework". See
                    http://www.projectliberty.org/resources
                    /specifications.php#box1

     [OASIS] "       Organization for the Advancement of Structured
                    Information Systems". See
                    http://www.oasis-open.org/
                    
     [RFC2396]      T. Berners-Lee, R. Fielding, L. Masinter, Uniform 
                    Resource Identifiers (URI): Generic Syntax. IETF
                    RFC 2396, August 1998. Available at
                    http://www.ietf.org/rfc/rfc2396.txt
                    
     [RFC3023]      M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
                    IETF Request for Comments 3023, January 2001.
                    Available as
                    http://www.rfc-editor.org/rfc/rfc3023.txt
                    
     [SAMLv1.1]     OASIS Security Services Technical Committee,
                    "Security Assertion Markup Language (SAML)
                    Version 1.1 Specification Set". OASIS Standard
                    200308, August 2003. Available as
                    http://www.oasis-open.org/committees/download.php
                    /3400/oasis-sstc-saml-1.1-pdf-xsd.zip
                    
     [SAMLv2.0]     OASIS Security Services Technical Committee,
                    "Security Assertion Markup Language (SAML)
                    Version 2.0 Specification Set". WORK IN
                    PROGRESS. Available at
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Bind]   S. Cantor et al., "Bindings for the OASIS Security
                    Assertion Markup Language (SAML) V2.0". OASIS 
                    SSTC, August 2004. Document ID
                    sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS. 
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Core]   S. Cantor et al., "Assertions and Protocols for 
                    the OASIS Security Assertion Markup Language
                    (SAML) V2.0". OASIS SSTC, August 2004. Document
                    ID sstc-saml-core-2.0-cd-01, WORK IN PROGRESS.
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Meta]   S. Cantor et al., Metadata for the OASIS Security 
                    Assertion Markup Language (SAML) V2.0. OASIS 
                    SSTC, August 2004. Document ID
                    sstc-saml-metadata-2.0-cd-01. See
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Prof]   S. Cantor et al., "Profiles for the OASIS Security
                    Assertion Markup Language (SAML) V2.0". OASIS 
                    SSTC, August 2004. Document ID
                    sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS. 
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Sec]    F. Hirsch et al., "Security and Privacy
                    Considerations for the OASIS Security Assertion
                    Markup Language (SAML) V2.0". OASIS SSTC, August
                    2004, WORK IN PROGRESS. Document ID
                    sstc-saml-sec-consider-2.0-cd-01. See
                    http://www.oasis-open.org/committees/security/
                    
     [SSTC]         "OASIS Security Services Technical Committee". See
                    http://www.oasis-open.org/committees/security/
                    
     [XML]          Bray, T., Paoli, J., Sperberg-McQueen, C.M. and 
                    E. Maler, "Extensible Markup Language (XML) 1.0 
                    (Second Edition)", World Wide Web Consortium
                    Recommendation REC-xml, October 2000, Available 
                    as http://www.w3.org/TR/REC-xml




---
end





More information about the Ietf-types mailing list