OpenID Signed Assertions 1.0 - Draft 1

Paul Madsen paulmadsen at rogers.com
Mon Dec 4 16:48:30 UTC 2006


Hi Dick, Eve Maler and I were thinking along the same lines and drafted 
the enclosed SAML Attribute profile for the OpenID SimpleReg extension.

It has less grand ambitions than yours (e.g. no signing) but otherwise 
seems nicely aligned

Regards

Paul

p.s. and our profile bears a debt to John's initial DIX spec as well

Dick Hardt wrote:
> Hello List
>
> Attached is a specification for using SAML to bind properties to an 
> OpenID Identifier. The mechanism for refreshing the Assertion still 
> needs to be worked out. Look forward to discussing this and the 
> Attribute Exchange specifications at IIW with those of you there.
>
> -- Dick
>
>
>
> ------------------------------------------------------------------------
>
> TOC <#toc>
>
> Draft 	D. Hardt
> 	Sxip Identity
> 	November 2006
>
>
>
>   OpenID Signed Assertions 1.0 - Draft 01
>
>
>       Abstract
>
> This document describes a SAML assertion schema extension for encoding 
> third-party attested attribute value claims as OpenID attributes for 
> use with the OpenID Attribute eXchange service.
>
>
> ------------------------------------------------------------------------
>
>
>       Table of Contents
>
> 1. <#anchor1> Introduction
> 2. <#anchor2> Terminology
> 2.1. <#anchor3> Definitions and Conventions
> 3. <#anchor4> SAML Introduction
> 3.1. <#anchor5> SAML Assertions
> 4. <#anchor6> Employing SAML in OpenID
> 4.1. <#anchor7> Assertion Attributes
> 5. <#saml-attribute> OpenID SAML Attribute Profile
> 5.1. <#anchor8> Required Information
> 5.2. <#anchor9> SAML Attribute Naming
> 5.3. <#anchor10> Profile-Specific XML Attributes
> 5.4. <#anchor11> SAML Attribute Values
> 5.5. <#anchor12> Example
> 6. <#saml-assertion> Assertion Schema Extension
> 6.1. <#anchor13> Element openid:Assertion
> 6.1.1. <#anchor14> Element saml:Assertion
> 7. <#assertion-schema> OpenID Assertion Schema
> 8. <#refresh> Refreshing an Assertion
> 9. <#example-assertion> Example Signed SAML Assertion
> 10. <#anchor19> Security Considerations
> 11. <#anchor20> Acknowledgements
> 12. <#rfc.references1> References
> 12.1. <#rfc.references1> Normative References
> 12.2. <#rfc.references2> Informative References
> § <#rfc.authors> Author's Address
>
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       1. Introduction
>
> This document specifies an assertion schema extension of the Security 
> Assertion Markup Language (SAML) V2.0 called 'OpenID Signed 
> Assertions', for use with the OpenID [OpenID.authentication‑2.0] 
> (Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, “OpenID 
> Authentication 2.0 - Draft 10,” August 2006.) 
> <#OpenID.authentication-2.0> Attribute eXchange service 
> [OpenID.attribute‑exchange‑1.0] (Hardt, D., “OpenID Attribute Exchange 
> 1.0 - Draft 03,” November 2006.) <#OpenID.attribute-exchange-1.0>.
>
> Security Assertion Markup Language (SAML) v2.0, "SAMLv2", is an 
> XML-based framework for creating and exchanging security information. 
> The SAMLv2 specification set is normatively defined by 
> [OASIS.saml‑conformance‑2.0‑os] (Mishra, P., Philpott, R., and E. 
> Maler, “Conformance Requirements for the Security Assertion Markup 
> Language (SAML) V2.0,” March 2005.) <#OASIS.saml-conformance-2.0-os>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       2. Terminology
>
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
> document are to be interpreted as described in [RFC2119] (Bradner, S., 
> “Key words for use in RFCs to Indicate Requirement Levels,” March 
> 1997.) <#RFC2119>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       2.1. Definitions and Conventions
>
> [NOTE: Update terminology based on final OpenID 2.0 draft.]
>
> In this specification, the term, or term component, "SAML" refers to 
> SAML V2.0 in all cases. For example, the term "SAML assertion" 
> implicitly means "SAMLv2 assertion".
>
> For overall SAML terminology, see [OASIS.saml‑glossary‑2.0‑os] 
> (Hodges, J., Philpott, R., and E. Maler, “Glossary for the Security 
> Assertion Markup Language (SAML) V2.0,” March 2005.) 
> <#OASIS.saml-glossary-2.0-os>.
>
> Conventional XML namespace prefixes are used throughout this 
> specification to stand for their respective namespaces as follows, 
> whether or not a namespace declaration is present in the example:
>
>     Prefix: openid
>         XML Namespace: http://openid.net/xmlns/2.0. 
>     Prefix: ds
>         XML Namespace: http://www.w3.org/2000/09/xmldsig#. This
>         namespace is defined in the XML Signature Syntax and
>         Processing specification [W3C.REC‑xmldsig‑core‑20020212]
>         (Solo, D., Eastlake, D., and J. Reagle, “XML-Signature Syntax
>         and Processing,” February 2002.)
>         <#W3C.REC-xmldsig-core-20020212> and its governing schema. 
>     Prefix: saml
>         XML Namespace: urn:oasis:names:tc:SAML:2.0:assertion. This is
>         the SAML V2.0 assertion namespace [OASIS.saml‑core‑2.0‑os]
>         (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions
>         and Protocol for the OASIS Security Assertion Markup Language
>         (SAML) V2.0,” March 2005.) <#OASIS.saml-core-2.0-os>. 
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       3. SAML Introduction
>
> SAML [OASIS.saml‑core‑2.0‑os] (Cantor, S., Kemp, J., Philpott, R., and 
> E. Maler, “Assertions and Protocol for the OASIS Security Assertion 
> Markup Language (SAML) V2.0,” March 2005.) <#OASIS.saml-core-2.0-os> 
> defines an XML-based framework for exchanging "security assertions" 
> between entities.
>
> SAML can be employed to make and encode statements such as "Beth has 
> these profile attributes and her domain's certificate is available 
> over there, and I'm making this statement, and here's who I am."
>
> A SAML assertion profile is the specification of the assertion schema 
> extension in the context of a particular SAML profile. It is possibly 
> further qualified by a particular implementation and/or deployment 
> context. Condensed examples of SAML assertion profiles are:
>
>     * The SAML assertion must contain at least one authentication
>       statement and no other statements. The relying party must be
>       represented in the <AudienceRestriction> element. The
>       SubjectConfirmation Method must be Foo. etc.
>     * The SAML assertion must contain at least one attribute statement
>       and may contain more than one. The values for the subject's
>       profile attributes named "Foo" and "Bar" must be present. An
>       authentication statement may be present. etc.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       3.1. SAML Assertions
>
> A SAML assertion is a package of information including issuer and 
> subject, conditions and advice, and/or attribute statements, and/or 
> authentication statements and/or other statements. Statements may or 
> may not be present. The SAML assertion "container" itself contains the 
> following information:
>
>     Issuing information:
>         Who issued the assertion, when was it issued and the assertion
>         identifier. 
>     Subject information:
>         The name of the subject, the security domain and optional
>         subject information, like public key. 
>     Conditions under which the assertion is valid:
>         Special kind of conditions like assertion validity period,
>         audience restriction and target restriction. 
>     Additional advice:
>         Explaining how the assertion was made, for example. 
>
> In terms of SAML assertions containing SAML attribute statements, here 
> is an explanatory example:
>
>     With a SAML assertion containing a SAML attribute statement, an
>     issuing authority is asserting that the subject is associated with
>     certain attributes with certain subject profile attribute values.
>     For example, user http://www.home.com/beth is associated with the
>     attribute http://openid.net/schema/contact/internet/email, which
>     has the value beth at home.com.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       4. Employing SAML in OpenID
>
> Employing SAML in OpenID necessitates devising a new SAML Assertion 
> Profile and a new SAML Attribute Profile because those already 
> specified in the SAMLv2 specification set are specific to other use 
> contexts and use cases. This does not present any untoward 
> difficulties due to SAML's inherent and explicit extensibility.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       4.1. Assertion Attributes
>
> The OpenID attribute exchange service [OpenID.attribute‑exchange‑1.0] 
> (Hardt, D., “OpenID Attribute Exchange 1.0 - Draft 03,” November 
> 2006.) <#OpenID.attribute-exchange-1.0> is used to convey SAML 
> assertions within an OpenID protocol session. In effect, a SAML 
> assertion is used as an envelope to contain conventional OpenID 
> attribute value pairs. This envelope is then assigned as a value for 
> the SAML assertion attribute type. An attribute value that contains a 
> SAML assertion MUST be base 64 [RFC3548] (Josefsson, S., “The Base16, 
> Base32, and Base64 Data Encodings,” July 2003.) <#RFC3548> encoded.
>
> Assertion attribute names MAY be any unique identifier as outlined in 
> [OpenID.attribute‑exchange‑1.0] (Hardt, D., “OpenID Attribute Exchange 
> 1.0 - Draft 03,” November 2006.) <#OpenID.attribute-exchange-1.0>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5. OpenID SAML Attribute Profile
>
> The OpenID Attribute Profile specifies how OpenID attributes can be 
> represented as SAML Attributes.
>
> An OpenID attribute is an property value assertion that can either be 
> self asserted or asserted by a third party. An example of a third 
> party assertion would be a government agency aserting that Beth is 
> older than 21. This Attribute Profile describes a OpenID attribute 
> represented as a SAML Assertion.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5.1. Required Information
>
> The information given in this section is similar to the information 
> provided when registering something, a MIME Media Type, say, with 
> IANA. In this case, it is for registering this profile with the OASIS 
> SSTC. See section 2 "Specification of Additional Profiles" in 
> [OASIS.saml‑profiles‑2.0‑os] (Hughes, J., Cantor, S., Hodges, J., 
> Hirsch, F., Mishra, P., Philpott, R., and E. Maler, “Profiles for the 
> OASIS Security Assertion Markup Language (SAML) V2.0,” March 2005.) 
> <#OASIS.saml-profiles-2.0-os>.
>
>     Identification:
>         TBD: urn:openid:saml-profile:attribute or
>         http://openid.net/saml-profile/attribute 
>     Contact Information:
>         TBD: someone's or something's contact info goes here. 
>     Description:
>         Given below. 
>     Updates:
>         None. 
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5.2. SAML Attribute Naming
>
> The NameFormat XML attribute in <Attribute> must be 
> urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri. The Name XML 
> attribute MUST be the OpenID attribute name and MUST adhere to the 
> rules specified for that format. OpenID attribute names are defined in 
> [OpenID.attribute‑exchange‑1.0] (Hardt, D., “OpenID Attribute Exchange 
> 1.0 - Draft 03,” November 2006.) <#OpenID.attribute-exchange-1.0>. 
> SAML Attribute Name formats are defined in [OASIS.saml‑core‑2.0‑os] 
> (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and 
> Protocol for the OASIS Security Assertion Markup Language (SAML) 
> V2.0,” March 2005.) <#OASIS.saml-core-2.0-os>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5.3. Profile-Specific XML Attributes
>
> No additional XML attributes are defined for use with the <Attribute> 
> element.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5.4. SAML Attribute Values
>
> The <AttributeValue> MUST be the OpenID attribute value, as defined in 
> [OpenID.attribute‑exchange‑1.0] (Hardt, D., “OpenID Attribute Exchange 
> 1.0 - Draft 03,” November 2006.) <#OpenID.attribute-exchange-1.0>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       5.5. Example
>
> <saml:Attribute
>   NameFormat="urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri"
>   Name="http://openid.net/schema/contact/internet/email">
>   <saml:AttributeValue>
>     beth at home.com
>   </saml:AttributeValue>
> </saml:Attribute>
>
>   
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6. Assertion Schema Extension
>
> An OpenID attribute value may be asserted by the user or by a 
> third-party. Third-party asserted attribute values include meta-data 
> about the assertion in part to enable the recipient to verify the 
> validity of the assertion. There are multiple possible ways of 
> encoding a third-party assertion, and multiple possible ways to verify 
> them. A SAML Assertion is one such encoding, and a digital signature 
> is one verification mechanism.
>
> This section defines the particulars of how the sender, i.e. the SAML 
> Authority, constructs certain portions of the SAML assertions it 
> issues. The schema for SAML assertions themselves is defined in 
> Section 2.3 of [OASIS.saml‑core‑2.0‑os] (Cantor, S., Kemp, J., 
> Philpott, R., and E. Maler, “Assertions and Protocol for the OASIS 
> Security Assertion Markup Language (SAML) V2.0,” March 2005.) 
> <#OASIS.saml-core-2.0-os>.
>
> An example SAML assertion, formulated according to this profile is 
> given in Section 9 (Example Signed SAML Assertion) <#example-assertion>.
>
> Overall SAML assertion profile requirements:
>
>     The SAML assertion MUST be signed by the same key as used to sign
>     the contents of the Identity header field. Signing of SAML
>     assertions is defined in section 5.4 of [OASIS.saml‑core‑2.0‑os]
>     (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions and
>     Protocol for the OASIS Security Assertion Markup Language (SAML)
>     V2.0,” March 2005.) <#OASIS.saml-core-2.0-os>.
>
> In the following subsections, the SAML assertion profile is specified 
> element-by-element, in a top-down, depth-first manner, beginning with 
> the outermost element, "<OpenIDAssertion>". This specification 
> introduces the "<OpenIDAssertion>" element as a wrapper around the 
> SAML "<Assertion>" element to add OpenID meta-data to the assertion. 
> Where applicable, the requirements for an element's XML attributes are 
> also stated, as a part of the element's description. Requirements for 
> any given element or XML attribute are only stated when, in the 
> context of use of this profile, they are not already sufficiently 
> defined by [OASIS.saml‑core‑2.0‑os] (Cantor, S., Kemp, J., Philpott, 
> R., and E. Maler, “Assertions and Protocol for the OASIS Security 
> Assertion Markup Language (SAML) V2.0,” March 2005.) 
> <#OASIS.saml-core-2.0-os>.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1. Element openid:Assertion
>
>     Attribute openid:RefreshURL
>         RefreshURL is an OPTIONAL XML attribute that, if specified,
>         SHOULD be set to the URL where an updated assertion can be
>         requested as per Section 8 (Refreshing an Assertion) <#refresh>. 
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1.1. Element saml:Assertion
>
>     Attribute: ID
>         The value for the ID XML attribute SHOULD be allocated
>         randomly such that the value meets the randomness requirements
>         specified in section 1.3.4 of [OASIS.saml‑core‑2.0‑os]
>         (Cantor, S., Kemp, J., Philpott, R., and E. Maler, “Assertions
>         and Protocol for the OASIS Security Assertion Markup Language
>         (SAML) V2.0,” March 2005.) <#OASIS.saml-core-2.0-os>. 
>     Attribute: IssueInstant
>         The value for the IssueInstant XML attribute SHOULD be set at
>         the time the SAML assertion is created (and cached for
>         subsequent retrieval). 
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1.1.1. Element saml:Issuer
>
> If the signature contains a ds:X509Certificate, the value for the 
> Issuer XML element SHOULD be a value that matches either the Subject 
> or the Subject Alternative Name fields [RFC3280] (Housley, R., Polk, 
> W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure 
> Certificate and Certificate Revocation List (CRL) Profile,” April 
> 2002.) <#RFC3280> in the certificate. The certificate element is 
> located on this path within the SAML assertion:
>
> <saml:Assertion
>   <ds:Signature
>     <ds:KeyInfo
>       <ds:X509Data
>         <ds:X509Certificate
>   
>
> In this case the Issuer element is in the format of the X.501 type Name.
>
> Assertions with signatures that do not contain an X509Certificate may 
> use an issuer identifier that matches the ds:KeyName element (see 
> [W3C.REC‑xmldsig‑core‑20020212] (Solo, D., Eastlake, D., and J. 
> Reagle, “XML-Signature Syntax and Processing,” February 2002.) 
> <#W3C.REC-xmldsig-core-20020212>).
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1.1.2. Element saml:Subject
>
> The <saml:Assertion> element MUST contain a <saml:Subject> element.
>
> The <saml:Subject> element MUST contain a <saml:NameID> element.
>
> The value of the <saml:NameID> element is a subject identifier, either 
> a Claimed Identifier or IdP Identifier in OpenID parlance.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1.1.3. Element saml:Conditions
>
> The following XML attributes of the <saml:Conditions> element MAY be 
> set as follows:
>
>     Attribute: NotBefore
>         The value of the NotBefore XML attribute must be set to a time
>         instant the same as the value for the IssueInstant XML
>         attribute discussed above, or to a later time. 
>     Attribute: NotOnOrAfter
>         The value of the NotOnOrAfter XML attribute MUST be set to a
>         time instant later than the value for NotBefore. 
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       6.1.1.4. Element saml:AttributeStatement
>
> The SAML assertion MUST contain a single <saml:AttributeStatement> 
> element. The <saml:AttributeStatement> element MUST contain one or 
> more attribute-value pair, encoded according to the OpenID attribute 
> schema extension Section 5 (OpenID SAML Attribute Profile) 
> <#saml-attribute>. It is RECOMMENDED that the number of 
> <saml:Attribute> elements within the <saml:AttributeStatement> be 
> limited to one.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       7. OpenID Assertion Schema
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!-- XML Schema for OpenIDAssertion -->
> <schema
>   targetNamespace="http://openid.net/xmlns/2.0"
>   xmlns="http://www.w3.org/2001/XMLSchema"
>   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>   xmlns:openid="http://openid.net/xmlns/2.0"
>   elementFormDefault="unqualified"
>   attributeFormDefault="unqualified"
>   blockDefault="substitution"
>   version="1.0">
>
>   <import
>     namespace="urn:oasis:names:tc:SAML:2.0:assertion"
>     schemaLocation="http://docs.oasis-open.org/security/
>                     saml/v2.0/saml-schema-assertion-2.0.xsd"/>
>
>   <element name="Assertion" type="openid:AssertionType"/>
>   <complexType name="AssertionType">
>     <sequence>
>       <element ref="saml:Assertion" minOccurs="0" maxOccurs="1"/>
>     </sequence>
>     <attribute name="RefreshURL" type="anyURI" use="optional"/>
>   </complexType>
>
> </schema>
>   
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       8. Refreshing an Assertion
>
> The mechanism for refreshing an assertion based on the RefreshURL 
> attribute of the openid:AssertionType element is not presently 
> defined. [TBD: define refresh protocol]
>
> The RefreshURL attribute may be supplied by an asserting party, but 
> SHOULD NOT be supplied to relying parties in general when it is 
> retrieved from an identity provider. This is in keeping with the rule 
> of minimal disclosure.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       9. Example Signed SAML Assertion
>
> Below is an example of a signed SAML assertion:
>
> <openid:Assertion
>    xmlns:openid="http://openid.net/xmlns/2.0"
>    RefreshURL="http://example-verified-email.com/renew">
>
> <Assertion ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc"
>    IssueInstant="2003-04-17T00:46:02Z" Version="2.0"
>    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>    <Issuer>
>       example-verified-email.com
>    </Issuer>
>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>       <ds:SignedInfo>
>    <ds:CanonicalizationMethod
>       Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>    <ds:SignatureMethod
>       Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>    <ds:Reference URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
>       <ds:Transforms>
>          <ds:Transform
>             Algorithm=
>             "http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>          <ds:Transform
>             Algorithm=
>             "http://www.w3.org/2001/10/xml-exc-c14n#">
>       <InclusiveNamespaces
>             PrefixList="#default saml ds xs xsi"
>             xmlns=
>             "http://www.w3.org/2001/10/xml-exc-c14n#"/>
>          </ds:Transform>
>       </ds:Transforms>
>       <ds:DigestMethod
>             Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>       <ds:DigestValue>
>             Kclet6XcaOgOWXM4gty6/UNdviI=
>       </ds:DigestValue>
>    </ds:Reference>
>       </ds:SignedInfo>
>       <ds:SignatureValue>
>         hq4zk+ZknjggCQgZm7ea8fI7...Hr7wHxvCCRwubnmIfZ6RqVL+wNmeWI4=
>       </ds:SignatureValue>
>       <ds:KeyInfo>
>    <ds:X509Data>
>        <ds:X509Certificate>
>     MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
>     MRIwEAYDVQQIEwlXaXNjb .....  dnP6Hr7wHxvCCRwubnmIfZ6QZAv2FU78pLX
>     8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdiowMNTrEG8cCx3w/w==
>        </ds:X509Certificate>
>    </ds:X509Data>
>       </ds:KeyInfo>
>    </ds:Signature>
>    <Subject>
>       <NameID
>         Format=
>            "urn:oasis:names:tc:SAML:1.1:nameid-format:entity">
>         http://www.home.com/beth
>       </NameID>
>    </Subject>
>    <Conditions NotBefore="2003-04-17T00:46:02Z">
>    </Conditions>
>    <AttributeStatement>
>      <Attribute
>        NameFormat=
>        "urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri"
>        Name="http://openid.net/schema/contact/web/blog">
>        <AttributeValue>http://bethexample.blogspot.com</AttributeValue>
>     </Attribute>
>   </AttributeStatement>
> </Assertion>
> </openid:Assertion>
>
>   
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       10. Security Considerations
>
> [NOTE: TBD]
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       11. Acknowledgements
>
> The author, John Merrels, and other contributors to the document 
> 'draft-merrels-dix-assertion'. Portions of that document were re-used 
> for this one.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       12. References
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       12.1. Normative References
>
> [OASIS.saml-conformance-2.0-os] 	Mishra, P. 
> <mailto:pmishra at principalidentity.com>, Philpott, R. 
> <mailto:rphilpott at rsasecurity.com>, and E. Maler 
> <mailto:eve.maler at sun.com>, “Conformance Requirements for the Security 
> Assertion Markup Language (SAML) V2.0 
> <http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf>,” 
> OASIS Standard saml-conformance-2.0-os, March 2005.
> [OASIS.saml-core-2.0-os] 	Cantor, S. <mailto:cantor.2 at osu.edu>, Kemp, 
> J. <mailto:John.Kemp at nokia.com>, Philpott, R. 
> <mailto:rphilpott at rsasecurity.com>, and E. Maler 
> <mailto:eve.maler at sun.com>, “Assertions and Protocol for the OASIS 
> Security Assertion Markup Language (SAML) V2.0 
> <http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>,” 
> OASIS Standard saml-core-2.0-os, March 2005.
> [OASIS.saml-profiles-2.0-os] 	Hughes, J. <mailto:>, Cantor, S. 
> <mailto:cantor.2 at osu.edu>, Hodges, J. 
> <mailto:Jeff.Hodges at neustar.biz>, Hirsch, F. 
> <mailto:Frederick.Hirsch at nokia.com>, Mishra, P. 
> <mailto:pmishra at principalidentity.com>, Philpott, R. 
> <mailto:rphilpott at rsasecurity.com>, and E. Maler 
> <mailto:eve.maler at sun.com>, “Profiles for the OASIS Security Assertion 
> Markup Language (SAML) V2.0 
> <http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf>,” 
> OASIS Standard OASIS.saml-profiles-2.0-os, March 2005.
> [OpenID.attribute-exchange-1.0] 	Hardt, D. <mailto:dick at sxip.com>, 
> “OpenID Attribute Exchange 1.0 - Draft 03,” November 2006 (TXT 
> <http://www.openid.net/specs/openid-attribute-exchange-1_0-03.txt>, 
> HTML 
> <http://www.openid.net/specs/openid-attribute-exchange-1_0-03.html>).
> [OpenID.authentication-2.0] 	Recordon, D. 
> <mailto:drecordon at verisign.com>, Hoyt, J. <mailto:josh at janrain.com>, 
> Fitzpatrick, B. <mailto:brad at danga.com>, and D. Hardt 
> <mailto:dick at sxip.com>, “OpenID Authentication 2.0 - Draft 10,” August 
> 2006 (TXT 
> <http://www.openid.net/specs/openid-authentication-2_0-10.txt>, HTML 
> <http://www.openid.net/specs/openid-authentication-2_0-10.html>).
> [RFC2119] 	Bradner, S. <mailto:sob at harvard.edu>, “Key words for use in 
> RFCs to Indicate Requirement Levels 
> <ftp://ftp.isi.edu/in-notes/rfc2119.txt>,” BCP 14, RFC 2119, March 
> 1997 (TXT <ftp://ftp.isi.edu/in-notes/rfc2119.txt>, HTML 
> <http://xml.resource.org/public/rfc/html/rfc2119.html>, XML 
> <http://xml.resource.org/public/rfc/xml/rfc2119.xml>).
> [RFC3280] 	Housley, R., Polk, W., Ford, W., and D. Solo, “Internet 
> X.509 Public Key Infrastructure Certificate and Certificate Revocation 
> List (CRL) Profile <ftp://ftp.isi.edu/in-notes/rfc3280.txt>,” RFC 
> 3280, April 2002.
> [RFC3548] 	Josefsson, S., “The Base16, Base32, and Base64 Data 
> Encodings <ftp://ftp.isi.edu/in-notes/rfc3548.txt>,” RFC 3548, July 2003.
> [W3C.REC-xmldsig-core-20020212] 	Solo, D., Eastlake, D., and J. 
> Reagle, “XML-Signature Syntax and Processing 
> <http://www.w3.org/TR/2002/REC-xmldsig-core-20020212>,” W3C 
> Recommendation http://www.w3.org/TR/2002/REC-xmldsig-core-20020212, 
> February 2002.
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       12.2. Informative References
>
> [OASIS.saml-glossary-2.0-os] 	Hodges, J. 
> <mailto:Jeff.Hodges at neustar.biz>, Philpott, R. 
> <mailto:rphilpott at rsasecurity.com>, and E. Maler 
> <mailto:eve.maler at sun.com>, “Glossary for the Security Assertion 
> Markup Language (SAML) V2.0 
> <http://docs.oasis-open.org/security/saml/v2.0/saml-glossary-2.0-os.pdf>,” 
> OASIS Standard saml-glossary-2.0-os, March 2005.
> [OpenID.attribute-types-1.0] 	Hardt, D. <mailto:dick at sxip.com>, 
> “OpenID Attribute Types - Draft 02,” November 2006 (TXT 
> <http://www.openid.net/specs/openid-attribute-types-1_0-02.txt>, HTML 
> <http://www.openid.net/specs/openid-attribute-types-1_0-02.html>).
>
>
> ------------------------------------------------------------------------
> TOC <#toc>
>
>
>       Author's Address
>
> 	Dick Hardt
> 	Sxip Identity
> 	798 Beatty Street
> 	Vancouver, BC V6B 2M1
> 	CA
> Email: 	dick at sxip.com <mailto:dick at sxip.com>
> URI: 	http://sxip.com/
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.409 / Virus Database: 268.15.6/566 - Release Date: 12/3/2006
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061204/734adf7d/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-saml-openid-simplereg-01.xml
Type: text/xml
Size: 4738 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061204/734adf7d/attachment-0002.bin>


More information about the specs mailing list