> -------- Original Message --------
> Subject: [Sip] SIP Saml Review by Marcos Dytz
> Date: Mon, 18 Jun 2007 10:39:20 +0200
> From: Tschofenig, Hannes <[EMAIL PROTECTED]>
> To: SIP IETF <[email protected]>
> CC: ext Marcos Dytz <[EMAIL PROTECTED]>
>
> 1) ... (or, at
> least, specifying that it can be used to convey attributes, query for
> information, etc).
yes, we can attempt to clarify this in the draft.
> 2) The SAML assertion profile sounds weird, although I never completely
> had a complete grasp of its meaning.
You're referring to section "6.1.4. Assertion Profile Description" of
-sip-saml-02, yes?
> I understand that it is connected
> with the implementation, but it never actually had any particular use to
> me (or I never gave it much attention). I rather see it as details that
> developers had to apply in order to have the implementation working and
> must be added to the specification in order to avoid interoperability
> issues.
I called it an "assertion profile" because it "profiles" SAML assertions for
use in this particular context. SAML assertions are explicitly tailorable, so
each SAML profile needs to do this as well as specify how they are to be
conveyed. Since they are security tokens, explicitly defining their content and
the semantics thereof is important.
> 3) I believe it is worth mentioning that one invalid condition locks the
> whole assertion.
by "locks" you mean "invalidates"? Sure we can try to clarify this, but in
section "6.1.5. Assertion Verification", step 11, we do note that the validity
period must be validated -- tho yes we should perhaps explicitly state that an
assertion that fails any of the 11 steps MUST be deemed invalid (good catch).
> 4) I also believe that is worth mentioning that the Identity-Info is
> connected with CERTS and might go through deployment issues.
This is tied to our perhaps thorniest open issue, which is discussed here..
[Sip] wrt RFC4474 Identity-Info header field referent issue (was: SIP SAML
Review by Richard Barnes)
http://www1.ietf.org/mail-archive/web/sip/current/msg19686.html
http://www.tschofenig.com:8080/saml-sip/issue12
So, yes, we need to clarify appropriately once we deal with the issue.
> 5) Is there something missing on 7.1? Sounded incomplete to me.
AFAIK it is complete in a technical sense. I believe some other reviewers had
more detailed comments on it, so will likely be looking into it in any case.
> 7) The part of the AS as an authenticator and proxy could be further
> clarified.
which section/paragraph are you referring to?
thanks for your review,
=JeffH
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
