Hi Josh,
I have some few comments regarding version -02 of the aaa-saml draft.
Mostly typos.
0. Abstract
* "...RADIUS attribute, binding and two..:" -> "RADIUS attribute, a
binding and two..."
1. Introduction
* In the 3er paragraph it is mentioned Diameter, while it is not
mentioned again in the rest of the document. Indeed, it is a
RADIUS-specific document.
3. RADIUS SAML-Message Attribute
* Length should be >=3, not >=4, since it is stated in the text that
Message field can have one or more octets (see description of
User-Name attribute in RFC 2865 for a similar attribute).
* I have a question related with the RADIUS maximum packet size. RFC
2865 states that the maximum size is 4096 bytes. That means that if
an SAML Assertion would be bigger than 4K, it would be impossible to
transport it in a single RADIUS message. Even without signatures, a
SAML Assertion containing attributes may exceed this size if the
attributes contains data enough. Have you thought about any
mechanism to lead with this kind of situations, for example the use
of a Hash&URL or similar?
5.3.2
* "The Relying Party, on receiving the EAP-Response/Identity message
from the User Agent, MUST send it towards the Identity Provider
using the SAML RADIUS binding" -> Did you mean RADIUS EAP, or is
SAML RADIUS binding intended to transport EAP messages?
5.4.1
* "If the Relying Provider wishes to..." -> "If the Relying Party
wishes to..."
5.4.2
* "Provider is NOT obligated to honor the requested set of in the
<samlp:AuthnRequest>, if any." -> Something missing between "set of"
and "in the".
5.4.3
* "Verify that the InResponseTo attribute in the bearer
<saml:SubjectConfirmationData>" -> Shouldm't it be "sender-vouches"
instead of "bearer"?
Regards,
Alejandro
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Application Bridging for Federated Access
Beyond web Working Group of the IETF.
Title : A RADIUS Attribute, Binding and Profiles for SAML
Author(s) : Josh Howlett
Sam Hartman
Filename : draft-ietf-abfab-aaa-saml-02.txt
Pages : 14
Date : 2011-10-31
This document specifies a RADIUS attribute, binding and two profiles
for the Security Assertion Mark-up Language (SAML). The attribute
provides RADIUS encapsulation of SAML protocol messages, while the
binding describes the transport of this attribute, and the SAML
protocol messages within, using RADIUS. The profiles describe the
application of this binding for Abfab authentication and assertion
query/request. The SAML RADIUS attribute and binding are defined
generically to permit application in other scenarios, such as network
access.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-abfab-aaa-saml-02.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-abfab-aaa-saml-02.txt
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
