for review: draft -01 of application/samlmetadata+xml registration
Jeff.Hodges at KingsMountain.com
Jeff.Hodges at KingsMountain.com
Mon Sep 20 21:42:46 CEST 2004
Registration of MIME media type application/samlmetadata+xml
<@@NOTE: This document is:
sstc-saml-2.0-application-samlmetadata-registration-01
Jeff Hodges <Jeff.Hodges at Sun.com>
20-Sep-2004
This document is intended to be included in
sstc-saml-metadata-2.0-cd-02 (ie the next time [SAMLv2Meta] is
rev'd), as an appendix.
Please see http://www.w3.org/2002/06/registering-mediatype.html
for an overview of the intricities involved when a non-IETF organization
registers a MIME media type in the "standards tree" (aka "IETF
tree").
The below registration material is intended to satisfy the
requirements stated in draft-freed-media-type-reg-01.txt (which
superseded draft-freed-mime-p4-04.txt).
This "NOTE" is intended to be removed upon copying this document's
content into [SAMLv2Meta].
Acknowledgments: Thanks to Ned Freed, Larry Masinter, Graham Klyne,
and Chris Lilley for their comments on prior drafts of this
registration. The security considerations section leverages that of
http://www.iana.org/assignments/media-types/application/vnd.paos+xml,
by John Kemp.
>
To: ietf-types at iana.org
Subject: Registration of MIME media type application/samlmetadata+xml
Introduction
This document defines a MIME media type --
application/samlmetadata+xml -- for use with the XML
serialization of Security Assertion Markup Language metadata.
SAML is a work product of the OASIS Security Services Technical
Committee [SSTC]. The SAML specifications define XML-based
constructs with which one may make, and convey, security
assertions. Using SAML, one can assert that an authentication
event pertaining to some subject has occurred and convey said
assertion to a relying party, for example.
SAML profiles require agreements between system entities
regarding identifiers, binding support, endpoints,
certificates, keys, and so forth. Such information is treated
as metadata by SAML v2.0. [SAMLv2Meta] specifies this metadata,
as well as specifying metadata publication and resolution
mechanisms. If the publishing protocol permits MIME-based
identification of content types, then use of the
application/samlmetadata+xml MIME media type is required.
MIME media type name: application
MIME subtype name: samlmetadata+xml
Required parameters: none
Optional parameters: charset
Same as charset parameter of application/xml [RFC3023].
Encoding considerations:
Same as for application/xml [RFC3023].
Security considerations:
Per their specification, samlmetadata+xml typed objects do not
contain executable content. However, these objects are
XML-based [XML], and thus they have all of the general security
considerations presented in section 10 of [RFC3023].
SAML metadata [SAMLv2Meta] contains information whose integrity
and authenticity is important identity provider and service
provider public keys and endpoint addresses, for example.
To counter potential issues, the publisher may sign
samlmetadata+xml typed objects. Any such signature should be
verified by the recipient of the data - both as a valid
signature, and as being the signature of the publisher.
Additionally, various of the publication protocols, e.g.
HTTP-over-TLS/SSL, offer means for ensuring the authenticity of
the publishing party and for protecting the metadata in
transit. [SAMLv2Meta] also defines prescriptive metadata
caching directives, as well as guidance on handling HTTPS
redirects, trust processing, server authentication, and related
items.
For a more detailed discussion of SAML v2.0 metadata and its
security considerations, please see [SAMLv2Meta]. For a
discussion of overall SAML v2.0 security considerations and
specific security-related design features, please refer to the
SAML v2.0 specifications listed in the below bibliography. The
specifications containing security-specific information are
explicitly listed.
Interoperability considerations:
SAML v2.0 metadata explicitly supports identifying the
protocols and versions supported by the identified entities.
For example, an identity provider entity can be denoted as
supporting SAML v2.0, SAML v1.1 [SAMLv1.1], Liberty ID-FF 1.2
[LAPFF], or even other protocols if they are unambiguously
identifiable via URI [RFC2396]. This protocol support
information is conveyed via the protocolSupportEnumeration
attribute of metadata objects of the RoleDescriptorType.
Published specification:
[SAMLv2Meta] explicitly specifies use of the
application/samlmetadata+xml MIME media type.
Applications which use this media type:
Potentially any application implementing SAML v2.0, as well as
those applications implementing specifications based on SAML,
e.g. those available from the Liberty Alliance [LAP].
Additional information:
Magic number(s):
In general, the same as for application/xml [RFC3023]. In
particular, the XML root element of the returned object
will be one of <EntityDescriptor>,
<AffiliationDescriptor>, or <EntitiesDescriptor>, and will
be in the SAMLv2.0 metadata namespace:
urn:oasis:names:tc:SAML:2.0:metadata
File extension(s): none
Macintosh File Type Code(s): none
Person & email address to contact for further information:
This registration is made on behalf of the OASIS Security
Services Technical Committee (SSTC) Please refer to the SSTC
website for current information on committee chairperson(s) and
their contact addresses:
http://www.oasis-open.org/committees/security/. Committee
members should submit comments and potential errata to the
securityservices at lists.oasis-open.org list. Others should
submit them by filling out the web form located at
http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=
Additionally, the SAML developer community email distribution
list, saml-dev at lists.oasis-open.org, may be employed to discuss
usage of the application/samlmetadata+xml MIME media type. The
"saml-dev" mailing list is publicly archived here:
http://lists.oasis-open.org/archives/saml-dev/. To post to the
"saml-dev" mailing list, one must subscribe to it. To
subscribe, send a message with the single word "subscribe" in
the message body, to: saml-dev-request at lists.oasis-open.org.
Intended usage: COMMON
Author/Change controller:
The SAML specification sets are a work product of the OASIS
Security Services Technical Committee (SSTC). OASIS and the
SSTC have change control over the SAML specification sets.
Bibliography
[LAP] "Liberty Alliance Project". See
http://www.projectliberty.org/
[LAPFF] Liberty Alliance Project: Federation Framework". See
http://www.projectliberty.org/resources
/specifications.php#box1
[OASIS] " Organization for the Advancement of Structured
Information Systems". See
http://www.oasis-open.org/
[RFC2396] T. Berners-Lee, R. Fielding, L. Masinter, Uniform
Resource Identifiers (URI): Generic Syntax. IETF
RFC 2396, August 1998. Available at
http://www.ietf.org/rfc/rfc2396.txt
[RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
IETF Request for Comments 3023, January 2001.
Available as
http://www.rfc-editor.org/rfc/rfc3023.txt
[SAMLv1.1] OASIS Security Services Technical Committee,
"Security Assertion Markup Language (SAML)
Version 1.1 Specification Set". OASIS Standard
200308, August 2003. Available as
http://www.oasis-open.org/committees/download.php
/3400/oasis-sstc-saml-1.1-pdf-xsd.zip
[SAMLv2.0] OASIS Security Services Technical Committee,
"Security Assertion Markup Language (SAML)
Version 2.0 Specification Set". WORK IN
PROGRESS. Available at
http://www.oasis-open.org/committees/security/
[SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS
SSTC, August 2004. Document ID
sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS.
See http://www.oasis-open.org/committees/security/
[SAMLv2Core] S. Cantor et al., "Assertions and Protocols for
the OASIS Security Assertion Markup Language
(SAML) V2.0". OASIS SSTC, August 2004. Document
ID sstc-saml-core-2.0-cd-01, WORK IN PROGRESS.
See http://www.oasis-open.org/committees/security/
[SAMLv2Meta] S. Cantor et al., Metadata for the OASIS Security
Assertion Markup Language (SAML) V2.0. OASIS
SSTC, August 2004. Document ID
sstc-saml-metadata-2.0-cd-01. See
http://www.oasis-open.org/committees/security/
[SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0". OASIS
SSTC, August 2004. Document ID
sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS.
See http://www.oasis-open.org/committees/security/
[SAMLv2Sec] F. Hirsch et al., "Security and Privacy
Considerations for the OASIS Security Assertion
Markup Language (SAML) V2.0". OASIS SSTC, August
2004, WORK IN PROGRESS. Document ID
sstc-saml-sec-consider-2.0-cd-01. See
http://www.oasis-open.org/committees/security/
[SSTC] "OASIS Security Services Technical Committee". See
http://www.oasis-open.org/committees/security/
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and
E. Maler, "Extensible Markup Language (XML) 1.0
(Second Edition)", World Wide Web Consortium
Recommendation REC-xml, October 2000, Available
as http://www.w3.org/TR/REC-xml
---
end
More information about the Ietf-types
mailing list