Hi,
I did a review of this draft today and here are my comments to it:
>- applicability - does it identify and solve a problem?
I believe it solves a relevant problem which was identified
already within RFC 4484.
>- readability - I didn't understand what it was trying to tell me?
I found the draft easy to understand even if I had very little
knowledge on SAML itself when starting to read the draft some
time ago.
>- correctness of technical solution - the solution is flawed?
The approach itself seems to be sound, but some details still
need polishing, like this one:
10. Verify that the SAML assertion contains an <Audience> element,
and that its value matches the value of the addr-spec of the SIP
To header field.
How is this matching to be done ? Shall the <Audience> element
exactly the SIP URI in the To header or can it contain just a
part of it (like host part of the URI) ? The example in section 8
is like this:
19 <Audience>
20 example2.com
21 </Audience>
which is not a SIP URI, so I believe either the example or the
normative text needs clarification.
>- completeness - is there something missing?
The draft refers to a number of open issues:
13. Open Issues
A list of open issues can be found at:
http://www.tschofenig.com:8080/saml-sip/
It seems to me that those issues are still open within this
version of the draft and should be addressed. I became concerned
especially of issue 12 where there is an interoperability problem
if the UAS only supports Identity-Info to refer to a certificate
(per RFC 4474) instead of SAML assertion. This should be fixed in
some way or another.
@@ TODO: do we need to define a new SIP error response code for
when a SAML assn signature is bad? e.g., '4xx Invalid SAML
asssertion'.
This TODO shall be resolved. To me an extra error code
would make sense.
>- nits
I found these:
In section 6.1.2:
Although this profile is overview is cast in terms of a SIP INVITE
transaction
The first 'is' of the sentence sounds unnecessary.
and also containing a the domain's (example.com) public key
certificate
The 'a' should be removed.
The SIP URIs in Figure 2 should be checked:
- Is Alice either [EMAIL PROTECTED] or [EMAIL PROTECTED] ?
- Is Bob either [EMAIL PROTECTED] or [EMAIL PROTECTED] ?
- Should the SIP URIs of both Bob and Alice or neither
of them have sip: prefix in the figure ? Currently
Alice does not have it (in From) while Bob has (in To).
In section 9.1.
* etc.
This 'etc' should be removed.
Regards,
Erkki
>-----Original Message-----
>From: ext DRAGE, Keith (Keith) [mailto:[EMAIL PROTECTED]
>Sent: 12.June.2007 12:14
>To: IETF SIP List
>Subject: [Sip] draft-ietf-sip-saml-02
>
>(As WG chair)
>
>Well it seems there is interest in this work, but it is not getting the
>attention it deserves.
>
>Some people also seem to think it is almost there, but we have
>no way of
>judging that without seeing the what comments are being made
>against the
>document (or of course reviewing it ourselves).
>
>This week is a quiet week (we supposedly finished our current WGLC
>yesterday, and we are not yet ready to initiate another one, and the
>draft closured deadlines for the forthcoming IETF are still a
>little bit
>away).
>
>We therefore task the working group to take the next 7 calendar days
>(ending Monday 18th June) to open up:
>
>http://www.ietf.org/internet-drafts/draft-ietf-sip-saml-02.txt
>
>And for everyone to post at least one comment on the document
>to the SIP
>list. Posts can cover any of:
>
>- completeness - is there something missing?
>- applicability - does it identify and solve a problem?
>- readability - I didn't understand what it was trying to tell me?
>- correctness of technical solution - the solution is flawed?
>- nits
>
>We would also welcome suggestions as to whether review is needed by
>other groups than the SIP WG.
>
>And of course if you read it and find it absolutely perfect, send the
>chairs a mail at least to tell us.
>
>Regards
>
>Keith
>
>
>_______________________________________________
>Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
>This list is for NEW development of the core SIP Protocol
>Use [EMAIL PROTECTED] for questions on current sip
>Use [EMAIL PROTECTED] for new developments on the application of sip
>
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
