for review: draft -03 of application/samlassertion+xml registration

Jeff.Hodges at KingsMountain.com Jeff.Hodges at KingsMountain.com
Tue Sep 21 19:34:06 CEST 2004


this rev of the application/samlassertion+xml reflects the enhancements 
recently suggested by Martin & Graham. thanks,

JeffH


   Registration of MIME media type application/samlassertion+xml

<@@NOTE: This document is:

sstc-saml-2.0-application-samlassertion-registration-03
Jeff Hodges <Jeff.Hodges at Sun.com>
21-Sep-2004

This document supersedes draft-hodges-saml-mediatype-02.txt. It is
intended to be included in sstc-saml-bindings-2.0-cd-02 (ie the next
time [SAMLv2Bind] is rev'd), as an appendix.

Please see http://www.w3.org/2002/06/registering-mediatype.html
for an overview of the intricities involved when a non-IETF organization
registers a MIME media type in the "standards tree" (aka "IETF
tree"). Please also note that that doc is W3C-specific, and is only
pointed to here as a source for overall information rather than
normative procedures.

The below registration material is intended to satisfy the
requirements stated in draft-freed-media-type-reg-01.txt (which
superseded draft-freed-mime-p4-04.txt).

This "NOTE" is intended to be removed upon copying this document's
content into [SAMLv2Bind].

Acknowledgments: Thanks to Ned Freed, Larry Masinter, Graham Klyne,
and Chris Lilley for their comments on prior drafts of this
registration. The security considerations section leverages that of
http://www.iana.org/assignments/media-types/application/vnd.paos+xml,
by John Kemp.
>


To: ietf-types at iana.org
Subject: Registration of MIME media type
application/samlassertion+xml

Introduction
     This document defines a MIME media type --
     application/samlassertion+xml -- for use with the XML
     serialization of SAML (Security Assertion Markup Language)
     assertions.

     The SAML specification sets -- [SAMLv1.0], [SAMLv1.1],
     [SAMLv2.0] -- are work products of the OASIS Security Services
     Technical Committee [SSTC]. The SAML specifications define
     XML-based constructs with which one may make, and convey,
     security assertions. Using SAML, one can assert that an
     authentication event pertaining to some subject has occured and
     convey said assertion to a relying party, for example.

     SAML assertions, which are explicitly versioned, are defined by
     [SAMLv1Core], [SAMLv11Core], and [SAMLv2Core].

MIME media type name: application

MIME subtype name: samlassertion+xml

Required parameters: none

Optional parameters: charset
     Same as charset parameter of application/xml [RFC3023].

Encoding considerations:
     Same as for application/xml [RFC3023].

Security considerations:
     Per their specification, samlassertion+xml typed objects do not
     contain executable content. However, SAML assertions are
     XML-based objects [XML]. As such, they have all of the general
     security considerations presented in section 10 of [RFC3023],
     as well as additional ones, since they are explicit security
     objects. For example, samlassertion+xml typed objects will
     often contain data that may identify or pertain to a natural
     person, and may be used as a basis for sessions and access
     control decisions.

     To counter potential issues, samlassertion+xml typed objects
     contain data that should be signed appropriately by the sender.
     Any such signature must be verified by the recipient of the
     data - both as a valid signature, and as being the signature of
     the sender. Issuers of samlassertion+xml objects containing
     SAMLv2 assertions may also encrypt all, or portions of, the
     assertions [SAMLv2Core].

     In addition, SAML profiles and protocol bindings specify use of
     secure channels as appropriate.

     [SAMLv2.0] incorporates various privacy-protection techniques
     in its design. For example: opaque handles, specific to
     interactions between specific system entities, may be assigned
     to subjects. The handles are mappable to wider-context
     identifiers (e.g. email addresses, account identifiers, etc) by
     only the specific parties.

     For a more detailed discussion of SAML security considerations
     and specific security-related design techniques, please refer
     to the SAML specifications listed in the below bibliography.
     The specifications containing security-specific information
     have been explicitly listed for each version of SAML.

Interoperability considerations:
     SAML assertions are explicitly versioned. Relying parties
     should ensure that they observe assertion version information
     and behave accordingly. See "Chapter 4 SAML Versioning" in
     [SAMLv1Core], [SAMLv11Core], or [SAMLv2Core], as appropriate.

Published specification:
     [SAMLv2Bind] explicitly specifies use of the
     application/samlassertion+xml MIME media type. However, it is
     conceivable that non-SAMLv2 assertions (i.e. SAMLv1 and/or
     SAMLv1.1) might in practice be conveyed using SAMLv2 bindings.

Applications which use this media type:
     Potentially any application implementing SAML, as well as those
     applications implementing specifications based on SAML, e.g.
     those available from the Liberty Alliance [LAP].

Additional information:

     Magic number(s):
          In general, the same as for application/xml [RFC3023]. In 
          particular, the XML root element of the returned object
          will have a namespace-qualified name with:

               - a local name of: Assertion

               - a namespace URI of: one of the version-specific
                 SAML assertion XML namespace URIs, as defined by
                 the appropriate version-specific SAML "core"
                 specification (see bibliography).

          With SAMLv2.0 specifically, the root element of the 
          returned object may be either <saml:Assertion> or
          <saml:EncryptedAssertion>,where "saml" represents any XML
          namespace prefix that maps to the SAMLv2.0 assertion 
          namespace URI:

               urn:oasis:names:tc:SAML:2.0:assertion


     File extension(s): none

     Macintosh File Type Code(s): none

Person & email address to contact for further information:
     This registration is made on behalf of the OASIS Security
     Services Technical Committee (SSTC) Please refer to the SSTC
     website for current information on committee chairperson(s) and
     their contact addresses:
     http://www.oasis-open.org/committees/security/. Committee
     members should submit comments and potential errata to the
     securityservices at lists.oasis-open.org list. Others should 
     submit them by filling out the web form located at
     http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=

     Additionally, the SAML developer community email distribution
     list, saml-dev at lists.oasis-open.org, may be employed to discuss
     usage of the application/samlassertion+xml MIME media type. The
     "saml-dev" mailing list is publicly archived here:
     http://lists.oasis-open.org/archives/saml-dev/. To post to the 
     "saml-dev" mailing list, one must subscribe to it. To
     subscribe, send a message with the single word "subscribe" in
     the message body, to: saml-dev-request at lists.oasis-open.org.

Intended usage: COMMON

Author/Change controller:
     The SAML specification sets are a work product of the OASIS
     Security Services Technical Committee (SSTC). OASIS and the
     SSTC have change control over the SAML specification sets.

Bibliography

     [LAP]          "Liberty Alliance Project". See
                    http://www.projectliberty.org/
                    
     [OASIS]        "Organization for the Advancement of Structured
                    Information Systems". See
                    http://www.oasis-open.org/
                    
     [RFC3023]      M. Murata, S. St.Laurent, D. Kohn, "XML Media Types",
                    IETF Request for Comments 3023, January 2001.
                    Available as
                    http://www.rfc-editor.org/rfc/rfc3023.txt
                    
     [SAMLv1.0]     OASIS Security Services Technical Committee,
                    "Security Assertion Markup Language (SAML)
                    Version 1.0 Specification Set". OASIS Standard
                    200205, November 2002. Available as
                    http://www.oasis-open.org/committees/download.php
                    /2290/oasis-sstc-saml-1.0.zip
                    
     [SAMLv1Bind]   Prateek Mishra et al., "Bindings and Profiles for
                    the OASIS Security Assertion Markup Language
                    (SAML)", OASIS, November 2002. Document ID
                    oasis-sstc-saml-bindings-1.0. See
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv1Core]   Phillip Hallam-Baker et al., "Assertions and
                    Protocol for the OASIS Security Assertion Markup
                    Language (SAML)", OASIS, November 2002. Document
                    ID oasis-sstc-saml-core-1.0. See
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv1Sec]    Chris McLaren et al., "Security Considerations for
                    the OASIS Security Assertion Markup Language
                    (SAML)", OASIS, November 2002. Document ID
                    oasis-sstc-saml-sec-consider-1.0. See
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv1.1]     OASIS Security Services Technical Committee,
                    "Security Assertion Markup Language (SAML)
                    Version 1.1 Specification Set". OASIS Standard
                    200308, August 2003. Available as
                    http://www.oasis-open.org/committees/download.php
                    /3400/oasis-sstc-saml-1.1-pdf-xsd.zip
                    
     [SAMLv11Bind]  E. Maler et al. "Bindings and Profiles for the
                    OASIS Security Assertion Markup Language
                    (SAML)". OASIS, September 2003. Document ID
                    oasis-sstc-saml-bindings-1.1.
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv11Core]  E. Maler et al. "Assertions and Protocol for the
                    OASIS Security Assertion Markup Language
                    (SAML)". OASIS, September 2003. Document ID
                    oasis-sstc-saml-core-1.1.
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv11Sec]   E. Maler et al. "Security Considerations for the
                    OASIS Security Assertion Markup Language
                    (SAML)". OASIS, September 2003. Document ID
                    oasis-sstc-saml-sec-consider-1.1.
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv2.0]     OASIS Security Services Technical Committee,
                    "Security Assertion Markup Language (SAML)
                    Version 2.0 Specification Set". WORK IN
                    PROGRESS. Available at
                    http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Bind]   S. Cantor et al., "Bindings for the OASIS Security
                    Assertion Markup Language (SAML) V2.0". OASIS 
                    SSTC, August 2004. Document ID
                    sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS. 
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Core]   S. Cantor et al., "Assertions and Protocols for
                    the OASIS Security Assertion Markup Language
                    (SAML) V2.0". OASIS SSTC, August 2004. Document
                    ID sstc-saml-core-2.0-cd-01, WORK IN PROGRESS.
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Prof]   S. Cantor et al., "Profiles for the OASIS Security
                    Assertion Markup Language (SAML) V2.0". OASIS 
                    SSTC, August 2004. Document ID
                    sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS. 
                    See http://www.oasis-open.org/committees/security/
                    
     [SAMLv2Sec]    F. Hirsch et al., "Security and Privacy
                    Considerations for the OASIS Security Assertion
                    Markup Language (SAML) V2.0". OASIS SSTC, August
                    2004, WORK IN PROGRESS. Document ID
                    sstc-saml-sec-consider-2.0-cd-01. See
                    http://www.oasis-open.org/committees/security/
                    
     [SSTC]         "OASIS Security Services Technical Committee". See
                    http://www.oasis-open.org/committees/security/
                    
     [XML]          Bray, T., Paoli, J., Sperberg-McQueen, C.M. and 
                    E. Maler, François Yergeau, "Extensible
                    Markup Language  (XML) 1.0 (Third Edition)",
                    World Wide Web  Consortium Recommendation
                    REC-xml, Feb 2004, Available as 
                    http://www.w3.org/TR/REC-xml/
                    
---
end





More information about the Ietf-types mailing list