IESG Approves a Request to Register MIME Media Type application/samlassertion+xml and application/samlmetadata+xml

Summary

On November 01, 2004 the IETF Secretariat announced the approval of two requests for registration of MIME media type in the standards tree as outlined in IETF's Media Type Specifications and Registration Procedures: application/samlmetadata+xml and application/samlassertion+xml.

The text of the announcement for the application/samlassertion+xml registration is presented below, with additional references. For some details on registration of media types, see draft-freed-media-type-reg-01.txt. Application Media-Types are listed on the IANA web site.

For application/samlmetadata+xml, see Section 6 "Registration of MIME Media Type 'application/samlmetadata+xml'" (lines 1450-1615) in Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS SSTC, Committee Draft version 02, 24-September-2004. This section defines a MIME media type — application/samlmetadata+xml — for use with the XML serialization of Security Assertion Markup Language metadata.

The IETF announcements:

MIME Type Registration Request Approval: application/samlmetadata+xml, IETF Secretariat
MIME Type Registration Request Approval: application/samlassertion+xml, IETF Secretariat

MIME Type Registration Request Approval: application/samlassertion+xml

To:        IANA <iana at iana.org> 
Subject:   MIME Type Registration Request Approval: application/samlassertion+xml 
From:      IETF Secretariat <ietf-secretariat-reply at ietf.org> 
Date:      Mon, 01 Nov 2004 14:16:01 -0500

The IESG has approved a request to register the "application/samlassertion+xml" MIME media type in the standards tree. This media type is a product of the Organization for the Advancement of Structured Information Systems (OASIS).

The IESG contact persons are Ted Hardie and Scott Hollenbeck.

MIME media type name: application

MIME subtype name: samlassertion+xml

Required parameters: none

Optional parameters: charset
Same as charset parameter of application/xml [RFC3023].

Encoding considerations:
Same as for application/xml [RFC3023].

Security considerations:

Per their specification, samlassertion+xml typed objects do not contain executable content. However, SAML assertions are XML-based objects [XML]. As such, they have all of the general security considerations presented in section 10 of [RFC3023], as well as additional ones, since they are explicit security objects. For example, samlassertion+xml typed objects will often contain data that may identify or pertain to a natural person, and may be used as a basis for sessions and access control decisions.

To counter potential issues, samlassertion+xml typed objects contain data that should be signed appropriately by the sender. Any such signature must be verified by the recipient of the data - both as a valid signature, and as being the signature of the sender. Issuers of samlassertion+xml objects containing SAMLv2 assertions may also encrypt all, or portions of, the assertions [SAMLv2Core].

In addition, SAML profiles and protocol bindings specify use of secure channels as appropriate.

[SAMLv2.0] incorporates various privacy-protection techniques in its design. For example: opaque handles, specific to interactions between specific system entities, are assigned to subjects. The handles are mappable to wider-context identifiers (e.g., email addresses, account identifiers, etc) by only the specific parties.

For a more detailed discussion of SAML security considerations and specific security-related design techniques, please refer to the SAML specifications listed in the below bibliography. The specifications containing security-specific information have been explicitly listed for each version of SAML.

Interoperability considerations:

SAML assertions are explicitly versioned. Relying parties should ensure that they observe assertion version information and behave accordingly. See "Chapter 4 SAML Versioning" in [SAMLv1Core], [SAMLv11Core], or [SAMLv2Core], as appropriate.

Published specification:

[SAMLv2Bind] explicitly specifies use of the application/samlassertion+xml MIME media type. However, it is conceivable that non-SAMLv2 assertions (i.e., SAMLv1 and/or SAMLv1.1) might in practice be conveyed using SAMLv2 bindings.

Applications which use this media type:

Potentially any application implementing SAML, as well as those applications implementing specifications based on SAML, e.g., those available from the Liberty Alliance [LAP].

Additional Information

Magic number(s):

In general, the same as for application/xml [RFC3023]. In particular, the XML root element of the returned object will be <saml:Assertion>, where "saml" maps to a version-specific SAML assertion namespace, as defined by the appropriate SAML "core" specification (see bibliography). In the case of SAMLv2.0, the root element of the returned object may be either <saml:Assertion> or <saml:EncryptedAssertion>, where "saml" maps to the SAMLv2.0 assertion namespace: urn:oasis:names:tc:SAML:2.0:assertion

File extension(s): none
Macintosh File Type Code(s): none

Person & email address to contact for further information:

This registration is made on behalf of the OASIS Security Services Technical Committee (SSTC) Please refer to the SSTC website for current information on committee chairperson(s) and their contact addresses: http://www.oasis-open.org/committees/security/. Committee members should submit comments and potential errata to the securityservices at lists.oasis-open.org list. Others should submit them by filling out the web form located at http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=secur

Additionally, the SAML developer community email distribution list, saml-dev at lists.oasis-open.org, may be employed to discuss usage of the application/samlassertion+xml MIME media type. The "saml-dev" mailing list is publicly archived here: http://lists.oasis-open.org/archives/saml-dev/. To post to the "saml-dev" mailing list, one must subscribe to it. To subscribe, send a message with the single word "subscribe" in the message body, to: saml-dev-request at lists.oasis-open.org.

Intended usage: COMMON

Author/Change controller:

The SAML specification sets are a work product of the OASIS Security Services Technical Committee (SSTC). OASIS and the SSTC have change control over the SAML specification sets.

Bibliography

[LAP] "Liberty Alliance Project". See http://www.projectliberty.org/

[OASIS] "Organization for the Advancement of Structured Information Systems". See http://www.oasis-open.org/

[RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types", IETF Request for Comments 3023, January 2001. Available as http://www.rfc-editor.org/rfc/rfc3023.txt

[SAMLv1.0] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 1.0 Specification Set". OASIS Standard 200205, November 2002. Available as http://www.oasis-open.org/committees/download.php/2290/oasis-sstc-saml-1.0.zip

[SAMLv1Bind] Prateek Mishra et al., "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-bindings-1.0. See http://www.oasis-open.org/committees/security/

[SAMLv1Core] Phillip Hallam-Baker et al., "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-core-1.0. See http://www.oasis-open.org/committees/security/

[SAMLv1Sec] Chris McLaren et al., "Security Considerations for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-sec-consider-1.0. See http://www.oasis-open.org/committees/security/

[SAMLv1.1] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 1.1 Specification Set". OASIS Standard 200308, August 2003. Available as http://www.oasis-open.org/committees/download.php/3400/oasis-sstc-saml-1.1-pdf-xsd.zip

[SAMLv11Bind] E. Maler et al. "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-bindings-1.1. http://www.oasis-open.org/committees/security/

[SAMLv11Core] E. Maler et al. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-core-1.1. http://www.oasis-open.org/committees/security/

[SAMLv11Sec] E. Maler et al. "Security Considerations for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-sec-consider-1.1. http://www.oasis-open.org/committees/security/

[SAMLv2.0] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 2.0 Specification Set". WORK IN PROGRESS. Available at http://www.oasis-open.org/committees/security/

[SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/

[SAMLv2Core] S. Cantor et al., "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-core-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/

[SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/

[SAMLv2Sec] F. Hirsch et al., "Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004, WORK IN PROGRESS. Document ID sstc-saml-sec-consider-2.0-cd-01. See http://www.oasis-open.org/committees/security/

[SSTC] "OASIS Security Services Technical Committee". See http://www.oasis-open.org/committees/security/

[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and E. Maler, "Extensible Markup Language (XML) 1.0 (Second Edition)", World Wide Web Consortium Recommendation REC-xml, October 2000, Available as http://www.w3.org/TR/REC-xml

IETF-Announce mailing list
IETF-Announce at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

[Source: http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg00656.html]

Other References

"Registration of MIME media type application/samlassertion+xml".
Registration of MIME Media Type application/samlassertion+xml. Edited by Jeff Hodges. August 21, 2004. This document defines a MIME media type 'application/samlassertion+xml' for use with the XML serialization of SAML (Security Assertion Markup Language) assertions. [cache]
See: "Registration of MIME Media Type 'application/samlassertion+xml'." Section 5 (lines 1480-1627) in Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, Committee Draft 02. 24-September-2004. Document identifier: 'sstc-saml-bindings-2.0-cd-02'.
"application/saml+xml Media Type Registration". IETF Network Working Group, Internet Draft, 'draft-hodges-saml-mediatype-01'. Date: June 17, 2004. See also version -00.
"OASIS Security Services TC Releases Approved SAML 2.0 Committee Drafts for Review." News story 2004-08-19.
"Security Assertion Markup Language (SAML)" - Main reference page.

Prepared by Robin Cover for The XML Cover Pages archive.

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	IESG Approves a Request to Register MIME Media Type application/samlassertion+xml and application/samlmetadata+xml Summary On November 01, 2004 the IETF Secretariat announced the approval of two requests for registration of MIME media type in the standards tree as outlined in IETF's Media Type Specifications and Registration Procedures: `application/samlmetadata+xml` and `application/samlassertion+xml`. The text of the announcement for the `application/samlassertion+xml` registration is presented below, with additional references. For some details on registration of media types, see draft-freed-media-type-reg-01.txt. Application Media-Types are listed on the IANA web site. For `application/samlmetadata+xml`, see Section 6 "Registration of MIME Media Type 'application/samlmetadata+xml'" (lines 1450-1615) in Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS SSTC, Committee Draft version 02, 24-September-2004. This section defines a MIME media type — `application/samlmetadata+xml` — for use with the XML serialization of Security Assertion Markup Language metadata. The IETF announcements: MIME Type Registration Request Approval: application/samlmetadata+xml, IETF Secretariat MIME Type Registration Request Approval: application/samlassertion+xml, IETF Secretariat MIME Type Registration Request Approval: application/samlassertion+xml To: IANA <iana at iana.org> Subject: MIME Type Registration Request Approval: application/samlassertion+xml From: IETF Secretariat <ietf-secretariat-reply at ietf.org> Date: Mon, 01 Nov 2004 14:16:01 -0500 The IESG has approved a request to register the "application/samlassertion+xml" MIME media type in the standards tree. This media type is a product of the Organization for the Advancement of Structured Information Systems (OASIS). The IESG contact persons are Ted Hardie and Scott Hollenbeck. MIME media type name: application MIME subtype name: samlassertion+xml Required parameters: none Optional parameters: charset Same as charset parameter of application/xml [RFC3023]. Encoding considerations: Same as for application/xml [RFC3023]. Security considerations: Per their specification, samlassertion+xml typed objects do not contain executable content. However, SAML assertions are XML-based objects [XML]. As such, they have all of the general security considerations presented in section 10 of [RFC3023], as well as additional ones, since they are explicit security objects. For example, samlassertion+xml typed objects will often contain data that may identify or pertain to a natural person, and may be used as a basis for sessions and access control decisions. To counter potential issues, samlassertion+xml typed objects contain data that should be signed appropriately by the sender. Any such signature must be verified by the recipient of the data - both as a valid signature, and as being the signature of the sender. Issuers of samlassertion+xml objects containing SAMLv2 assertions may also encrypt all, or portions of, the assertions [SAMLv2Core]. In addition, SAML profiles and protocol bindings specify use of secure channels as appropriate. [SAMLv2.0] incorporates various privacy-protection techniques in its design. For example: opaque handles, specific to interactions between specific system entities, are assigned to subjects. The handles are mappable to wider-context identifiers (e.g., email addresses, account identifiers, etc) by only the specific parties. For a more detailed discussion of SAML security considerations and specific security-related design techniques, please refer to the SAML specifications listed in the below bibliography. The specifications containing security-specific information have been explicitly listed for each version of SAML. Interoperability considerations: SAML assertions are explicitly versioned. Relying parties should ensure that they observe assertion version information and behave accordingly. See "Chapter 4 SAML Versioning" in [SAMLv1Core], [SAMLv11Core], or [SAMLv2Core], as appropriate. Published specification: [SAMLv2Bind] explicitly specifies use of the application/samlassertion+xml MIME media type. However, it is conceivable that non-SAMLv2 assertions (i.e., SAMLv1 and/or SAMLv1.1) might in practice be conveyed using SAMLv2 bindings. Applications which use this media type: Potentially any application implementing SAML, as well as those applications implementing specifications based on SAML, e.g., those available from the Liberty Alliance [LAP]. Additional Information Magic number(s): In general, the same as for application/xml [RFC3023]. In particular, the XML root element of the returned object will be <saml:Assertion>, where "saml" maps to a version-specific SAML assertion namespace, as defined by the appropriate SAML "core" specification (see bibliography). In the case of SAMLv2.0, the root element of the returned object may be either <saml:Assertion> or <saml:EncryptedAssertion>, where "saml" maps to the SAMLv2.0 assertion namespace: urn:oasis:names:tc:SAML:2.0:assertion File extension(s): none Macintosh File Type Code(s): none Person & email address to contact for further information: This registration is made on behalf of the OASIS Security Services Technical Committee (SSTC) Please refer to the SSTC website for current information on committee chairperson(s) and their contact addresses: http://www.oasis-open.org/committees/security/. Committee members should submit comments and potential errata to the securityservices at lists.oasis-open.org list. Others should submit them by filling out the web form located at http://www.oasis-open.org/committees/comments/form.php?wg_abbrev=secur Additionally, the SAML developer community email distribution list, saml-dev at lists.oasis-open.org, may be employed to discuss usage of the application/samlassertion+xml MIME media type. The "saml-dev" mailing list is publicly archived here: http://lists.oasis-open.org/archives/saml-dev/. To post to the "saml-dev" mailing list, one must subscribe to it. To subscribe, send a message with the single word "subscribe" in the message body, to: saml-dev-request at lists.oasis-open.org. Intended usage: COMMON Author/Change controller: The SAML specification sets are a work product of the OASIS Security Services Technical Committee (SSTC). OASIS and the SSTC have change control over the SAML specification sets. Bibliography [LAP] "Liberty Alliance Project". See http://www.projectliberty.org/ [OASIS] "Organization for the Advancement of Structured Information Systems". See http://www.oasis-open.org/ [RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types", IETF Request for Comments 3023, January 2001. Available as http://www.rfc-editor.org/rfc/rfc3023.txt [SAMLv1.0] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 1.0 Specification Set". OASIS Standard 200205, November 2002. Available as http://www.oasis-open.org/committees/download.php/2290/oasis-sstc-saml-1.0.zip [SAMLv1Bind] Prateek Mishra et al., "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-bindings-1.0. See http://www.oasis-open.org/committees/security/ [SAMLv1Core] Phillip Hallam-Baker et al., "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-core-1.0. See http://www.oasis-open.org/committees/security/ [SAMLv1Sec] Chris McLaren et al., "Security Considerations for the OASIS Security Assertion Markup Language (SAML)", OASIS, November 2002. Document ID oasis-sstc-saml-sec-consider-1.0. See http://www.oasis-open.org/committees/security/ [SAMLv1.1] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 1.1 Specification Set". OASIS Standard 200308, August 2003. Available as http://www.oasis-open.org/committees/download.php/3400/oasis-sstc-saml-1.1-pdf-xsd.zip [SAMLv11Bind] E. Maler et al. "Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-bindings-1.1. http://www.oasis-open.org/committees/security/ [SAMLv11Core] E. Maler et al. "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-core-1.1. http://www.oasis-open.org/committees/security/ [SAMLv11Sec] E. Maler et al. "Security Considerations for the OASIS Security Assertion Markup Language (SAML)". OASIS, September 2003. Document ID oasis-sstc-saml-sec-consider-1.1. http://www.oasis-open.org/committees/security/ [SAMLv2.0] OASIS Security Services Technical Committee, "Security Assertion Markup Language (SAML) Version 2.0 Specification Set". WORK IN PROGRESS. Available at http://www.oasis-open.org/committees/security/ [SAMLv2Bind] S. Cantor et al., "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-bindings-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/ [SAMLv2Core] S. Cantor et al., "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-core-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/ [SAMLv2Prof] S. Cantor et al., "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004. Document ID sstc-saml-profiles-2.0-cd-01, WORK IN PROGRESS. See http://www.oasis-open.org/committees/security/ [SAMLv2Sec] F. Hirsch et al., "Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0". OASIS SSTC, August 2004, WORK IN PROGRESS. Document ID sstc-saml-sec-consider-2.0-cd-01. See http://www.oasis-open.org/committees/security/ [SSTC] "OASIS Security Services Technical Committee". See http://www.oasis-open.org/committees/security/ [XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M. and E. Maler, "Extensible Markup Language (XML) 1.0 (Second Edition)", World Wide Web Consortium Recommendation REC-xml, October 2000, Available as http://www.w3.org/TR/REC-xml IETF-Announce mailing list IETF-Announce at ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce [Source: http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg00656.html] Other References "Registration of MIME media type `application/samlassertion+xml`". Registration of MIME Media Type application/samlassertion+xml. Edited by Jeff Hodges. August 21, 2004. This document defines a MIME media type '`application/samlassertion+xml`' for use with the XML serialization of SAML (Security Assertion Markup Language) assertions. [cache] See: "Registration of MIME Media Type 'application/samlassertion+xml'." Section 5 (lines 1480-1627) in Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS SSTC, Committee Draft 02. 24-September-2004. Document identifier: 'sstc-saml-bindings-2.0-cd-02'. "application/saml+xml Media Type Registration". IETF Network Working Group, Internet Draft, 'draft-hodges-saml-mediatype-01'. Date: June 17, 2004. See also version -00. "OASIS Security Services TC Releases Approved SAML 2.0 Committee Drafts for Review." News story 2004-08-19. "Security Assertion Markup Language (SAML)" - Main reference page. Prepared by Robin Cover for The XML Cover Pages archive.