Network Working Group J. Merrells Internet-Draft Sxip Identity Expires: December 2, 2006 May 31, 2006 DIX Assertions draft-merrells-dix-assertion-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 2, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes a 'SAML Assertion Profile' for encoding third-party attested attribute value assertions as DIX Properties. DIX is an Internet scale protocol for the exchange of identity information that is designed for ease of adoption and user privacy. Merrells Expires December 2, 2006 [Page 1] Internet-Draft DIX Assertions May 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Specification Scope . . . . . . . . . . . . . . . . . . . . . 5 4. SAML Introduction . . . . . . . . . . . . . . . . . . . . . . 6 4.1. SAML Assertions . . . . . . . . . . . . . . . . . . . . . 6 5. Employing SAML in DIX . . . . . . . . . . . . . . . . . . . . 8 6. Attribute Profile Description . . . . . . . . . . . . . . . . 9 6.1. DIX Attribute Profile . . . . . . . . . . . . . . . . . . 9 6.1.1. Required Information . . . . . . . . . . . . . . . . . 9 6.1.2. SAML Attribute Naming . . . . . . . . . . . . . . . . 9 6.1.3. Profile-Specific XML Attributes . . . . . . . . . . . 10 6.1.4. SAML Attribute Values . . . . . . . . . . . . . . . . 10 6.1.5. Example . . . . . . . . . . . . . . . . . . . . . . . 10 7. Assertion Profile Description . . . . . . . . . . . . . . . . 11 7.1. Element dix:DIXAssertion; . . . . . . . . . . . . . . . . 11 7.1.1. Element saml:Assertion . . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 9. DIXAssertion Schema . . . . . . . . . . . . . . . . . . . . . 15 10. Example Signed SAML Assertion . . . . . . . . . . . . . . . . 16 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 12. Security Considerations . . . . . . . . . . . . . . . . . . . 19 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 13.1. Normative References . . . . . . . . . . . . . . . . . . . 20 13.2. Informative References . . . . . . . . . . . . . . . . . . 21 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 Intellectual Property and Copyright Statements . . . . . . . . . . 24 Merrells Expires December 2, 2006 [Page 2] Internet-Draft DIX Assertions May 2006 1. Introduction This document specifies an assertion profile of the Security Assertion Markup Language (SAML) V2.0 called 'DIX - Assertions' in order to satisfy the use cases documented in [I-D.draft-merrells-use-cases]. Security Assertion Markup Language (SAML) v2.0, "SAMLv2", is an XML- based framework for creating and exchanging security information. [OASIS.sstc-saml-exec-overview-2.0-cd-01] and [OASIS.sstc-saml-tech- overview-2.0-draft-08] provide non-normative overviews of SAMLv2. The SAMLv2 specification set is normatively defined by [OASIS.saml- conformance-2.0-os]. Merrells Expires December 2, 2006 [Page 3] Internet-Draft DIX Assertions May 2006 2. Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. In this specification, the term, or term component, "SAML" refers to SAML V2.0 in all cases. For example, the term "SAML assertion" implicitly means "SAMLv2 assertion". For overall SAML terminology, see [OASIS.saml-glossary-2.0-os]. Conventional XML namespace prefixes are used throughout this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example: Prefix: dix XML Namespace: urn:ietf:params:dix:protocol This is the DIX protocol namespace. Prefix: ds XML Namespace: http://www.w3.org/2000/09/xmldsig# This namespace is defined in the XML Signature Syntax and Processing specification [W3C.xmldsig-core] and its governing schema. Prefix: saml XML Namespace: urn:oasis:names:tc:SAML:2.0:assertion This is the SAML V2.0 assertion namespace [OASIS.saml-core-2.0-os]. Merrells Expires December 2, 2006 [Page 4] Internet-Draft DIX Assertions May 2006 3. Specification Scope The scope of this draft is to satisfy the requirements drawn from the DIX Use Cases that describe scenarios based on assertions. [I-D.draft-merrells-use-cases] Merrells Expires December 2, 2006 [Page 5] Internet-Draft DIX Assertions May 2006 4. SAML Introduction SAML [OASIS.sstc-saml-exec-overview-2.0-cd-01] [OASIS.sstc-saml-tech- overview-2.0-draft-08] defines an XML-based framework for exchanging "security assertions" between entities. SAML can be employed to make and encode statements such as "Beth has these profile attributes and her domain's certificate is available over there, and I'm making this statement, and here's who I am." A SAML assertion profile is the specification of the assertion contents in the context of a particular SAML profile. It is possibly further qualified by a particular implementation and/or deployment context. Condensed examples of SAML assertion profiles are: o The SAML assertion must contain at least one authentication statement and no other statements. The relying party must be represented in the element. The SubjectConfirmation Method must be Foo. etc. o The SAML assertion must contain at least one attribute statement and may contain more than one. The values for the subject's profile attributes named "Foo" and "Bar" must be present. An authentication statement may be present. etc. 4.1. SAML Assertions A SAML assertion is a package of information including issuer and subject, conditions and advice, and/or attribute statements, and/or authentication statements and/or other statements. Statements may or may not be present. The SAML assertion "container" itself contains the following information: Issuing information: Who issued the assertion, when was it issued and the assertion identifier. Subject information: The name of the subject, the security domain and optional subject information, like public key. Merrells Expires December 2, 2006 [Page 6] Internet-Draft DIX Assertions May 2006 Conditions under which the assertion is valid: Special kind of conditions like assertion validity period, audience restriction and target restriction. Additional advice: Explaining how the assertion was made, for example. In terms of SAML assertions containing SAML attribute statements, here is an explanatory example: With a SAML assertion containing a SAML attribute statement, an issuing authority is asserting that the subject is associated with certain attributes with certain subject profile attribute values. For example, user "http://www.home.com/beth" is associated with the attribute "http://sxip.net/contact/internet/email", which has the value "beth@home.com". Merrells Expires December 2, 2006 [Page 7] Internet-Draft DIX Assertions May 2006 5. Employing SAML in DIX Employing SAML in DIX necessitates devising a new SAML Assertion Profile and a new SAML Attribute Profile because those already specified in the SAMLv2 specification set are specific to other use contexts and use cases. This does not present any untoward difficulties due to SAML's inherent and explicit extensibility. This document introduces a new SAML Attribute Profile. Merrells Expires December 2, 2006 [Page 8] Internet-Draft DIX Assertions May 2006 6. Attribute Profile Description 6.1. DIX Attribute Profile The DIX Attribute Profile specifies how DIX properties can be represented as SAML Attributes. A DIX Property is an attribute value assertion that can either be self asserted or asserted by a third party. An example of a third party assertion would be a government agency aserting that Beth is older than 21. This Attribute Profile describes a DIX Property represented as a SAML Assertion. 6.1.1. Required Information The information given in this section is similar to the information provided when registering something, a MIME Media Type, say, with IANA. In this case, it is for registering this profile with the OASIS SSTC. See section 2 "Specification of Additional Profiles" in [OASIS.saml-profiles-2.0-os]. Identification: urn:ietf:params:dix:saml-profile:attribute Contact Information: [TODO - JM - someone's or something's contact info goes here.] Description: Given below. Updates: None. 6.1.2. SAML Attribute Naming The NameFormat XML attribute in must be urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri. The Name XML attribute MUST be the DIX Property Name and MUST adhere to the rules specified for that format. DIX Property Names are defined in [I-D.draft-merrells-dix] [Information Model - Property Name]. SAML Attribute Name formats are defined in [OASIS.saml-core-2.0-os]. Merrells Expires December 2, 2006 [Page 9] Internet-Draft DIX Assertions May 2006 6.1.3. Profile-Specific XML Attributes No additional XML attributes are defined for use with the element. 6.1.4. SAML Attribute Values The MUST be the DIX Property Value, as define in [I-D.draft-merrells-dix] [Information Model - Property Value]. 6.1.5. Example beth@home.com Merrells Expires December 2, 2006 [Page 10] Internet-Draft DIX Assertions May 2006 7. Assertion Profile Description A DIX property value could be an attribute value that is asserted by the user or by a third-party. Third-party asserted attribute values include meta-data about the assertion in part to enable the recipient to verify the validity of the assertion. There are multiple possible ways of encoding a third-party assertion, and multiple possible ways to verify them. A SAML Assertion is one such encoding, and a digital signature is one verification mechanism. This section defines the particulars of how the sender, i.e. the SAML Authority, constructs certain portions of the SAML assertions it issues. The schema for SAML assertions themselves is defined in Section 2.3 of [OASIS.saml-core-2.0-os]. An example SAML assertion, formulated according to this profile is given in Section 10. Overall SAML assertion profile requirements: The SAML assertion MUST be signed by the same key as used to sign the contents of the Identity header field. Signing of SAML assertions is defined in section 5.4 of [OASIS.saml-core-2.0-os]. In the following subsections, the SAML assertion profile is specified element-by-element, in a top-down, depth-first manner, beginning with the outermost element, "". This specification introduces the "" element as a wrapper around the SAML "" element to add DIX meta-data to the assertion. Where applicable, the requirements for an element's XML attributes are also stated, as a part of the element's description. Requirements for any given element or XML attribute are only stated when, in the context of use of this profile, they are not already sufficiently defined by [OASIS.saml-core-2.0-os]. 7.1. Element dix:DIXAssertion; Attribute dix:RefreshURL The value for the RefreshURL XML attribute SHOULD be the URL where an updated assertion can be retrieved. 7.1.1. Element saml:Assertion Merrells Expires December 2, 2006 [Page 11] Internet-Draft DIX Assertions May 2006 Attribute: ID The value for the ID XML attribute SHOULD be allocated randomly such that the value meets the randomness requirements specified in section 1.3.4 of [OASIS.saml-core-2.0-os]. Attribute: IssueInstant The value for the IssueInstant XML attribute SHOULD be set at the time the SAML assertion is created (and cached for subsequent retrieval). 7.1.1.1. Element saml:Issuer The value for the Issuer XML element MUST be a value that matches either the Issuer or the Issuer Alternative Name fields [RFC3280] in the certificate conveyed by the SAML assertion in the ds: X509Certificate element located on this path within the SAML assertion: element MUST contain a element. The element MUST contain a element. The value of the element is a DIX Identifier. [I-D.draft-merrells-dix] [Identifier] 7.1.1.3. Element saml:Conditions The following XML attributes of the element MUST be set as follows: Attribute: NotBefore The value of the NotBefore XML attribute MUST be set to a time instant the same as the value for the IssueInstant XML attribute discussed above, or to a later time. Merrells Expires December 2, 2006 [Page 12] Internet-Draft DIX Assertions May 2006 Attribute: NotOnOrAfter The value of the NotOnOrAfter XML attribute MUST be set to a time instant later than the value for NotBefore. 7.1.1.4. Element saml:AttributeStatement The SAML assertion MUST contain an element. The element MUST contain single attribute-value pair, encoded according to the DIX Attribute Profile Section 6. Merrells Expires December 2, 2006 [Page 13] Internet-Draft DIX Assertions May 2006 8. Acknowledgements The authors of 'draft-tschofenig-sip-saml-05' a SAML profile for SIP, from which portions of text were lifted and reworked: Hannes Tschofenig, Jon Peterson, James Polk, Douglas C. Sicker, and Jeff Hodges. For their comments on draft-merrells-dix-assertion-00: Pete Rowley. Merrells Expires December 2, 2006 [Page 14] Internet-Draft DIX Assertions May 2006 9. DIXAssertion Schema Merrells Expires December 2, 2006 [Page 15] Internet-Draft DIX Assertions May 2006 10. Example Signed SAML Assertion Below is an example of a signed SAML assertion: example-verified-email.com Kclet6XcaOgOWXM4gty6/UNdviI= hq4zk+ZknjggCQgZm7ea8fI7...Hr7wHxvCCRwubnmIfZ6RqVL+wNmeWI4= MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT Merrells Expires December 2, 2006 [Page 16] Internet-Draft DIX Assertions May 2006 MRIwEAYDVQQIEwlXaXNjb ..... dnP6Hr7wHxvCCRwubnmIfZ6QZAv2FU78pLX 8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdiowMNTrEG8cCx3w/w== http://www.home.com/beth beth@home.com Merrells Expires December 2, 2006 [Page 17] Internet-Draft DIX Assertions May 2006 11. IANA Considerations This document proposes the registration of a new URN for a SAML Profile, which must be agreed upon and registered with IANA. Merrells Expires December 2, 2006 [Page 18] Internet-Draft DIX Assertions May 2006 12. Security Considerations [TODO - JM - Write security considerations section.] Merrells Expires December 2, 2006 [Page 19] Internet-Draft DIX Assertions May 2006 13. References 13.1. Normative References [ECMA262] "ECMAScript Language Specification, 3rd Edition, December 1999.". [I-D.draft-merrells-dix] Merrells, J., "DIX: Digital Identity Exchange Protocol", May 2006. [I-D.draft-merrells-use-cases] Merrells, J., "DIX Use Cases", May 2006. [OASIS.saml-bindings-2.0-os] Cantor, S., Hirsch, F., Kemp, J., Philpott, R., and E. Maler, "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-bindings-2.0-os, March 2005. [OASIS.saml-core-2.0-os] Cantor, S., Kemp, J., Philpott, R., and E. Maler, "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-core- 2.0-os, March 2005. [OASIS.saml-metadata-2.0-os] Cantor, S., Moreh, J., Philpott, R., and E. Maler, "Metadata for the Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March 2005. [OASIS.saml-profiles-2.0-os] Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., and E. Maler, "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard OASIS.saml-profiles-2.0-os, March 2005. [RFC1123] Braden, R., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, October 1989. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Merrells Expires December 2, 2006 [Page 20] Internet-Draft DIX Assertions May 2006 [RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF URN Sub-namespace for Registered Protocol Parameters", BCP 73, RFC 3553, June 2003. [SHA] "NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.". [W3C.XHTML.10] W3c, "XHTML 1.0 The Extensible HyperText Markup Language (Second Edition)", August 2002. [W3C.xmldsig-core] Eastlake, D., Reagle , J., and D. Solo, "XML-Signature Syntax and Processing", W3C Recommendation xmldsig-core, October 2000, . 13.2. Informative References [IANA.application.samlassertion-xml] OASIS Security Services Technical Committee (SSTC), "application/samlassertion+xml MIME Media Type Registration", IANA MIME Media Types Registry application/ samlassertion+xml, December 2004. [OASIS.draft-saml-protocol-ext-02] Cantor, S., "SAML Protocol Extensions", OASIS SSTC Working Draft draft-saml-protocol-ext-02, Februrary 2006. [OASIS.saml-conformance-2.0-os] Mishra, P., Philpott, R., and E. Maler, "Conformance Requirements for the Security Assertion Markup Language Merrells Expires December 2, 2006 [Page 21] Internet-Draft DIX Assertions May 2006 (SAML) V2.0", OASIS Standard saml-conformance-2.0-os, March 2005. [OASIS.saml-glossary-2.0-os] Hodges, J., Philpott, R., and E. Maler, "Glossary for the Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-glossary-2.0-os, March 2005. [OASIS.saml-sec-consider-2.0-os] Hirsch, F., Philpott, R., and E. Maler, "Security and Privacy Considerations for the OASIS Security Markup Language (SAML) V2.0", OASIS Standard saml-sec-consider- 2.0-os, March 2005. [OASIS.sstc-saml-exec-overview-2.0-cd-01] Madsen, P. and E. Maler, "SAML V2.0 Executive Overview", OASIS SSTC Committee Draft sstc-saml-exec-overview-2.0-cd-01, April 2005. [OASIS.sstc-saml-tech-overview-2.0-draft-08] Hughes, J. and E. Maler, "Security Assertion Markup Language (SAML) V2.0 Technical Overview", OASIS SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08, September 2005. [RFC2543] Handley, M., Schulzrinne, H., Schooler, E., and J. Rosenberg, "SIP: Session Initiation Protocol", RFC 2543, March 1999. [RFC3323] Peterson, J., "A Privacy Mechanism for the Session Initiation Protocol (SIP)", RFC 3323, November 2002. Merrells Expires December 2, 2006 [Page 22] Internet-Draft DIX Assertions May 2006 Author's Address John Merrells Sxip Identity 798 Beatty Street Vancouver, BC V6B 2M1 Canada Email: merrells@sxip.com URI: http://sxip.com/ Merrells Expires December 2, 2006 [Page 23] Internet-Draft DIX Assertions May 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Merrells Expires December 2, 2006 [Page 24]