Internet DRAFT - draft-hodges-saml-mediatype

draft-hodges-saml-mediatype




Network Working Group                                          J. Hodges
Internet-Draft                                    Sun Microsystems, Inc.
Expires: December 16, 2004                                 June 17, 2004


              application/saml+xml Media Type Registration
                     draft-hodges-saml-mediatype-01

Status of this Memo

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   and any of which I become aware will be disclosed, in accordance with
   RFC 3667.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 16, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

   This document describes a MIME media type -- application/saml+xml --
   for use with the XML serialization of SAML (Security Assertion Markup
   Language) assertions, or other SAML-defined objects.











Hodges                 Expires December 16, 2004                [Page 1]

Internet-Draft            application/saml+xml                 June 2004


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1   Discussion of this Document  . . . . . . . . . . . . . . .  3
     1.2   Document Conventions . . . . . . . . . . . . . . . . . . .  3

   2.  Usage of the application/saml+xml MIME Media Type  . . . . . .  4

   3.  application/saml+xml MIME Media Type Registration  . . . . . .  4

   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  6

   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  6

   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  6

       Normative References . . . . . . . . . . . . . . . . . . . . .  6

       Informative References . . . . . . . . . . . . . . . . . . . .  8

       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  8

   A.  Revision History . . . . . . . . . . . . . . . . . . . . . . .  8

       Intellectual Property and Copyright Statements . . . . . . . .  9


























Hodges                 Expires December 16, 2004                [Page 2]

Internet-Draft            application/saml+xml                 June 2004


1. Introduction

   This document defines a MIME media type -- application/saml+xml --
   for use with the XML serialization of SAML (Security Assertion Markup
   Language) assertions, or other SAML-defined objects.

   The SAML specification sets, SAML V1.0 [5] and SAML V1.1 [9], are
   work products of the OASIS [13] Security Services Technical Committee
   (SSTC) [14]. The SAML specifications define XML-based constructs with
   which one may make, and convey, security assertions. For example, one
   can assert that an authentication event pertaining to some subject
   has occured and convey said assertion to a relying party.

1.1 Discussion of this Document

   Please send comments on this document to the  "security services
   comment" email distribution list:

      <mailto:security-services-comment@lists.oasis-open.org>

   The "security services comment" mailing list is publically archived
   here [15].

   To post to the "security services comment" mailing list, one must
   subscribe to it.  To subscribe, send a message with the single word
   "subscribe" in the message body, to:

      <mailto:security-services-comment-request@lists.oasis-open.org>

   Additionally, the SAML developer community email distribution list:

      <mailto:saml-dev@lists.oasis-open.org>

   may be employed to discuss usage of the application/saml+xml MIME
   media type.

   The "saml-dev" mailing list is publically archived here [16].

   To post to the "saml-dev" mailing list, one must subscribe to it.  To
   subscribe, send a message with the single word "subscribe" in the
   message body, to:

      <mailto:saml-dev-request@lists.oasis-open.org>


1.2 Document Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",



Hodges                 Expires December 16, 2004                [Page 3]

Internet-Draft            application/saml+xml                 June 2004


   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [2].

2. Usage of the application/saml+xml MIME Media Type

   Application protocols capable of conveying MIME entities, such as
   HTTP [3], SHOULD use the media type defined in this document when
   conveying SAML-defined objects.

3. application/saml+xml MIME Media Type Registration

   This is a media type registration as defined in Multipurpose Internet
   Mail Extensions (MIME) Part Four: Registration Procedures [1] and XML
   Media Types [4].

      MIME media type name:

         application

      MIME subtype name:

         saml+xml

      Required parameters:

         none

      Optional parameters: charset

         Same as charset parameter of application/xml.

      Encoding considerations:

         Same as charset parameter of application/xml.

      Security considerations:

         Security considerations include many of those described in
         section 10 of RFC 3023 [4] as well as those specifically
         described in:

            SAML V1.0 Assertions and Protocol [6]

            SAML V1.0 Bindings and Profiles [7]

            SAML V1.0 Security and Privacy Considerations [8]

         ..and/or..



Hodges                 Expires December 16, 2004                [Page 4]

Internet-Draft            application/saml+xml                 June 2004


            SAML V1.1 Assertions and Protocol [10]

            SAML V1.1 Bindings and Profiles [11]

            SAML V1.1 Security and Privacy Considerations [12] .

         ..depending on the version of the SAML object (see the next
         item).

      Interoperability considerations:

         SAML assertions are explicitly versioned. Relying parties
         SHOULD ensure that they observe assertion version information
         and behave accordingly. See "Chapter 4  SAML Versioning" in
         SAML V1.0 Assertions and Protocol [6], and/or SAML V1.1
         Assertions and Protocol [10], as appropriate.

      Published specification:

         See the SAML V1.0 [5] and SAML V1.1 [9] specification sets.

      Applications which use this media type:

         SAML is device-, platform-, and vendor-neutral and is supported
         by a range of server- and client-side applications and tools.

      Additional information:

         Magic number(s): none, but..

            Although no byte sequences can be counted on to consistently
            identify SAML objects, i.e. assertions and/or protocol
            messages, they will contain either one, or both of, the
            strings:

               urn:oasis:names:tc:SAML:1.0:assertion

               urn:oasis:names:tc:SAML:1.0:protocol

            to identify the SAML XML namespace(s).

         File extension(s):

            none

         Macintosh File Type Code(s):

            none



Hodges                 Expires December 16, 2004                [Page 5]

Internet-Draft            application/saml+xml                 June 2004


      Person & email address to contact for further information:

         Use the email distribution lists identified in Section 1.1
         above.

         Additionally, or otherwise, refer to the Security Services
         Technical Committee website [14].

      Intended usage:

         COMMON

      Author/Change controller:

         The SAML specification sets are a work product of the OASIS
         Security Services Technical Committee (SSTC). OASIS and the
         SSTC have change control over the SAML specification sets.


4. IANA Considerations

   This document calls for registration of a new MIME content-type,
   according to the registration information given above in Section 3.

5. Security Considerations

   See the "Security Considerations" item in Section 3 above.

6. Acknowledgements

   This doc is based on Aaron Schwartz' internet-draft for the
   application/rdf+xml MIME media type [18]. Thanks to Graham Klyne for
   pointing me to the latter, to Scott Cantor and John Kemp for
   volunteering me to write this, and to Marshall Rose for his xml2rfc
   document converter gizmo [17]. Artists whose music contributed to the
   writing of this spec ranged from John Coltrane [19] to Trapt [20].

Normative References

   [1]   Freed, N., Klensin, J. and J. Postel, "Multipurpose Internet
         Mail Extensions (MIME) Part Four: Registration Procedures", BCP
         13, RFC 2048, November 1996.

   [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [3]   Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
         Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --



Hodges                 Expires December 16, 2004                [Page 6]

Internet-Draft            application/saml+xml                 June 2004


         HTTP/1.1", RFC 2616, June 1999.

   [4]   Murata, M., St. Laurent, S. and D. Kohn, "XML Media Types", RFC
         3023, January 2001.

   [5]   OASIS, "Security Assertion Markup Language (SAML) Version 1.0
         Specification Set", OASIS Standard 200205, September 2003,
         <http://www.oasis-open.org/committees/download.php/2290/
         oasis-sstc-saml-1.0.zip>.

   [6]   Hallam-Baker, P., Ed. and E. Maler, Ed., "Assertions and
         Protocol for the OASIS Security Assertion Markup Language
         (SAML) V1.0", OASIS Standard 200205, November 2002, <http://
         www.oasis-open.org/apps/org/workgroup/security/download.php/
         1371/oasis-sstc-saml-core-1.0.pdf>.

   [7]   Mishra, P., Ed., "Bindings and Profiles for the OASIS Security
         Assertion Markup Language  (SAML) V1.0", OASIS Standard 200205,
         November 2002, <http://www.oasis-open.org/apps/org/workgroup/
         security/download.php/1372/oasis-sstc-saml-bindings-1.0.pdf>.

   [8]   McLaren, C., Ed., "Security and Privacy Considerations for the
         OASIS Security Assertion Markup  Language (SAML) V1.0", OASIS
         Standard 200205, November 2002, <http://www.oasis-open.org/
         apps/org/workgroup/security/download.php/1375/
         oasis-sstc-saml-sec-consider-1.0.pdf>.

   [9]   OASIS, "Security Assertion Markup Language (SAML) Version 1.1
         Specification Set", OASIS Standard 200308, September 2003,
         <http://www.oasis-open.org/committees/download.php/3400/
         oasis-sstc-saml-1.1-pdf-xsd.zip>.

   [10]  Maler, E., Ed., Mishra, P., Ed. and R. Philpott, Ed.,
         "Assertions and Protocol for the OASIS Security Assertion
         Markup Language (SAML) V1.1", OASIS Standard 200308, September
         2003, <http://www.oasis-open.org/apps/org/workgroup/security/
         download.php/3406/oasis-sstc-saml-core-1.1.pdf>.

   [11]  Maler, E., Ed., Mishra, P., Ed. and R. Philpott, Ed., "Bindings
         and Profiles for the OASIS Security Assertion Markup Language
         (SAML) V1.1", OASIS Standard 200308, September 2003, <http://
         www.oasis-open.org/apps/org/workgroup/security/download.php/
         3405/oasis-sstc-saml-bindings-1.1.pdf>.

   [12]  Maler, E., Ed. and R. Philpott, Ed., "Security and Privacy
         Considerations for the OASIS Security Assertion Markup
         Language (SAML) V1.1", OASIS Standard 200308, September 2003,
         <http://www.oasis-open.org/apps/org/workgroup/security/



Hodges                 Expires December 16, 2004                [Page 7]

Internet-Draft            application/saml+xml                 June 2004


         download.php/3404/oasis-sstc-saml-sec-consider-1.1.pdf>.

Informative References

   [13]  "Organization for the Advancement of Structured Information
         Systems (OASIS)", <http://www.oasis-open.org/>.

   [14]  "Security Services Technical Committee (SSTC/SAML)", <http://
         www.oasis-open.org/committees/security/>.

   [15]  "SSTC/SAML 'comment' Mailing List Archives", <http://
         lists.oasis-open.org/archives/security-services-comment/>.

   [16]  "SSTC/SAML 'saml-dev' Mailing List Archives", <http://
         lists.oasis-open.org/archives/saml-dev/>.

   [17]  "Marshall Rose's xml2rfc tool", <http://xml.resource.org>.

URIs

   [18]  <http://www.aaronsw.com/2002/
         draft-w3c-rdfcore-rdfxml-mediatype-01>

   [19]  <http://www.johncoltrane.com/>

   [20]  <http://www.trapt.com/>


Author's Address

   Jeff Hodges
   Sun Microsystems, Inc.
   4220 Network Circle, Bldg 22, USCA22-212
   Santa Clara, CA  95054
   USA

   Phone: +1 408.276.5467
   EMail: Jeff.Hodges@sun.com
   URI:   http://www.sun.com/

Appendix A. Revision History










Hodges                 Expires December 16, 2004                [Page 8]

Internet-Draft            application/saml+xml                 June 2004


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights. Information
   on the IETF's procedures with respect to rights in IETF Documents can
   be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard. Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2004). This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Hodges                 Expires December 16, 2004                [Page 9]