draft-ietf-kitten-sasl-saml-ec-18.txt   draft-ietf-kitten-sasl-saml-ec-19.txt 
Network Working Group S. Cantor Network Working Group S. Cantor
Internet-Draft Shibboleth Consortium Internet-Draft Shibboleth Consortium
Intended status: Standards Track S. Josefsson Intended status: Standards Track S. Josefsson
Expires: February 1, 2020 SJD AB Expires: February 29, 2020 SJD AB
July 31, 2019 August 28, 2019
SAML Enhanced Client SASL and GSS-API Mechanisms SAML Enhanced Client SASL and GSS-API Mechanisms
draft-ietf-kitten-sasl-saml-ec-18 draft-ietf-kitten-sasl-saml-ec-19
Abstract Abstract
Security Assertion Markup Language (SAML) 2.0 is a generalized Security Assertion Markup Language (SAML) 2.0 is a generalized
framework for the exchange of security-related information between framework for the exchange of security-related information between
asserting and relying parties. Simple Authentication and Security asserting and relying parties. Simple Authentication and Security
Layer (SASL) and the Generic Security Service Application Program Layer (SASL) and the Generic Security Service Application Program
Interface (GSS-API) are application frameworks to facilitate an Interface (GSS-API) are application frameworks to facilitate an
extensible authentication model. This document specifies a SASL and extensible authentication model. This document specifies a SASL and
GSS-API mechanism for SAML 2.0 that leverages the capabilities of a GSS-API mechanism for SAML 2.0 that leverages the capabilities of a
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 1, 2020. This Internet-Draft will expire on February 29, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 46 skipping to change at page 2, line 46
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25
7.1. Risks Left Unaddressed . . . . . . . . . . . . . . . . . 26 7.1. Risks Left Unaddressed . . . . . . . . . . . . . . . . . 26
7.2. User Privacy . . . . . . . . . . . . . . . . . . . . . . 26 7.2. User Privacy . . . . . . . . . . . . . . . . . . . . . . 26
7.3. Collusion between RPs . . . . . . . . . . . . . . . . . . 27 7.3. Collusion between RPs . . . . . . . . . . . . . . . . . . 27
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
8.1. GSS-API and SASL Mechanism Registration . . . . . . . . . 27 8.1. GSS-API and SASL Mechanism Registration . . . . . . . . . 27
8.2. XML Namespace Name for SAML-EC . . . . . . . . . . . . . 27 8.2. XML Namespace Name for SAML-EC . . . . . . . . . . . . . 27
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1. Normative References . . . . . . . . . . . . . . . . . . 28 9.1. Normative References . . . . . . . . . . . . . . . . . . 28
9.2. Normative References for GSS-API Implementers . . . . . . 29 9.2. Informative References . . . . . . . . . . . . . . . . . 30
9.3. Informative References . . . . . . . . . . . . . . . . . 30
Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 31 Appendix A. XML Schema . . . . . . . . . . . . . . . . . . . . . 31
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 33 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 33
Appendix C. Changes . . . . . . . . . . . . . . . . . . . . . . 33 Appendix C. Changes . . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
Security Assertion Markup Language (SAML) 2.0 Security Assertion Markup Language (SAML) 2.0
[OASIS.saml-core-2.0-os] is a modular specification that provides [OASIS.saml-core-2.0-os] is a modular specification that provides
various means for a user to be identified to a relying party (RP) various means for a user to be identified to a relying party (RP)
skipping to change at page 3, line 21 skipping to change at page 3, line 21
identity provider (IdP). It includes a number of protocols, protocol identity provider (IdP). It includes a number of protocols, protocol
bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles bindings [OASIS.saml-bindings-2.0-os], and interoperability profiles
[OASIS.saml-profiles-2.0-os] designed for different use cases. [OASIS.saml-profiles-2.0-os] designed for different use cases.
Additional profiles and extensions are also routinely developed and Additional profiles and extensions are also routinely developed and
published. published.
Simple Authentication and Security Layer (SASL) [RFC4422] is a Simple Authentication and Security Layer (SASL) [RFC4422] is a
generalized mechanism for identifying and authenticating a user and generalized mechanism for identifying and authenticating a user and
for optionally negotiating a security layer for subsequent protocol for optionally negotiating a security layer for subsequent protocol
interactions. SASL is used by application protocols like IMAP, POP interactions. SASL is used by application protocols like IMAP, POP
and XMPP [RFC3920]. The effect is to make authentication modular, so and XMPP [RFC6120]. The effect is to make authentication modular, so
that newer authentication mechanisms can be added as needed. that newer authentication mechanisms can be added as needed.
The Generic Security Service Application Program Interface (GSS-API) The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for applications to support multiple [RFC2743] provides a framework for applications to support multiple
authentication mechanisms through a unified programming interface. authentication mechanisms through a unified programming interface.
This document defines a pure SASL mechanism for SAML, but it conforms This document defines a pure SASL mechanism for SAML, but it conforms
to the bridge between SASL and the GSS-API called GS2 [RFC5801]. to the bridge between SASL and the GSS-API called GS2 [RFC5801].
This means that this document defines both a SASL mechanism and a This means that this document defines both a SASL mechanism and a
GSS-API mechanism. The GSS-API interface is optional for SASL GSS-API mechanism. The GSS-API interface is optional for SASL
implementers, and the GSS-API considerations can be avoided in implementers, and the GSS-API considerations can be avoided in
skipping to change at page 5, line 23 skipping to change at page 5, line 23
GSS-API mechanism, and then knowledge of GSS-API is essential. To GSS-API mechanism, and then knowledge of GSS-API is essential. To
faciliate these two variants, the references has been split into two faciliate these two variants, the references has been split into two
parts, one part that provides normative references for all readers, parts, one part that provides normative references for all readers,
and one part that adds additional normative references required for and one part that adds additional normative references required for
implementers that wish to implement the GSS-API portion. implementers that wish to implement the GSS-API portion.
3. Applicability for Non-HTTP Use Cases 3. Applicability for Non-HTTP Use Cases
While SAML is designed to support a variety of application scenarios, While SAML is designed to support a variety of application scenarios,
the profiles for authentication defined in the original standard are the profiles for authentication defined in the original standard are
designed around HTTP [RFC2616] applications. They are not, however, designed around HTTP [RFC7230] applications. They are not, however,
limited to browsers, because it was recognized that browsers suffer limited to browsers, because it was recognized that browsers suffer
from a variety of functional and security deficiencies that would be from a variety of functional and security deficiencies that would be
useful to avoid where possible. Specifically, the notion of an useful to avoid where possible. Specifically, the notion of an
"Enhanced Client" (or a proxy acting as one on behalf of a browser, "Enhanced Client" (or a proxy acting as one on behalf of a browser,
thus the term "ECP") was specified for a software component that acts thus the term "ECP") was specified for a software component that acts
somewhat like a browser from an application perspective, but includes somewhat like a browser from an application perspective, but includes
limited, but sufficient, awareness of SAML to play a more conscious limited, but sufficient, awareness of SAML to play a more conscious
role in the authentication exchange between the RP and the IdP. What role in the authentication exchange between the RP and the IdP. What
follows is an outline of the Enhanced Client or Proxy (ECP) Profile follows is an outline of the Enhanced Client or Proxy (ECP) Profile
(V2.0) [SAMLECP20], as applied to the web/HTTP service use case: (V2.0) [SAMLECP20], as applied to the web/HTTP service use case:
skipping to change at page 9, line 31 skipping to change at page 9, line 31
4.4. User Authentication with Identity Provider 4.4. User Authentication with Identity Provider
Upon receipt of the Server Response (Section 4.3), the steps Upon receipt of the Server Response (Section 4.3), the steps
described in sections 2.3.3 through 2.3.6 of [SAMLECP20] are described in sections 2.3.3 through 2.3.6 of [SAMLECP20] are
performed between the client and the chosen IdP. The means by which performed between the client and the chosen IdP. The means by which
the client determines the IdP to use, and where it is located, are the client determines the IdP to use, and where it is located, are
out of scope of this mechanism. out of scope of this mechanism.
The exact means of authentication to the IdP are also out of scope, The exact means of authentication to the IdP are also out of scope,
but clients supporting this mechanism MUST support HTTP Basic but clients supporting this mechanism MUST support HTTP Basic
Authentication as defined in [RFC2617] and TLS client authentication Authentication as defined in [RFC7617] and TLS 1.3 client
as defined in [RFC5246]. authentication as defined in [RFC8446].
4.5. Client Response 4.5. Client Response
Assuming a response is obtained from the IdP, the client responds to Assuming a response is obtained from the IdP, the client responds to
the SASL server with a SOAP envelope constructed in accordance with the SASL server with a SOAP envelope constructed in accordance with
section 2.3.7 of [SAMLECP20]. This includes adhering to the SOAP section 2.3.7 of [SAMLECP20]. This includes adhering to the SOAP
header requirements of the SAML PAOS Binding header requirements of the SAML PAOS Binding
[OASIS.saml-bindings-2.0-os], for compatibility with the existing [OASIS.saml-bindings-2.0-os], for compatibility with the existing
profile. If the client is unable to obtain a response from the IdP, profile. If the client is unable to obtain a response from the IdP,
or must otherwise signal failure, it responds to the SASL server with or must otherwise signal failure, it responds to the SASL server with
skipping to change at page 15, line 28 skipping to change at page 15, line 28
5.5. Pseudo-Random Function (PRF) 5.5. Pseudo-Random Function (PRF)
The GSS-API has been extended with a Pseudo-Random Function (PRF) The GSS-API has been extended with a Pseudo-Random Function (PRF)
interface in [RFC4401]. The purpose is to enable applications to interface in [RFC4401]. The purpose is to enable applications to
derive a cryptographic key from an established GSS-API security derive a cryptographic key from an established GSS-API security
context. This section defines a GSS_Pseudo_random that is applicable context. This section defines a GSS_Pseudo_random that is applicable
for the SAML20EC GSS-API mechanism. for the SAML20EC GSS-API mechanism.
The GSS_Pseudo_random() [RFC4401] SHALL be the same as for the The GSS_Pseudo_random() [RFC4401] SHALL be the same as for the
Kerberos V5 GSS-API mechanism [RFC4402]. There is no acceptor- Kerberos V5 GSS-API mechanism [RFC7802]. There is no acceptor-
asserted sub-session key, thus GSS_C_PRF_KEY_FULL and asserted sub-session key, thus GSS_C_PRF_KEY_FULL and
GSS_C_PRF_KEY_PARTIAL are equivalent. The protocol key to be used GSS_C_PRF_KEY_PARTIAL are equivalent. The protocol key to be used
for the GSS_Pseudo_random() SHALL be the same as the key defined in for the GSS_Pseudo_random() SHALL be the same as the key defined in
the previous section. the previous section.
5.6. GSS-API Principal Name Types for SAML EC 5.6. GSS-API Principal Name Types for SAML EC
Services that act as SAML relying parties are typically identified by Services that act as SAML relying parties are typically identified by
means of a URI called an "entityID". Clients that are named in the means of a URI called an "entityID". Clients that are named in the
<Subject> element of a SAML assertion are typically identified by <Subject> element of a SAML assertion are typically identified by
skipping to change at page 28, line 34 skipping to change at page 28, line 34
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra,
P., Philpott, R., and E. Maler, "Profiles for the OASIS P., Philpott, R., and E. Maler, "Profiles for the OASIS
Security Assertion Markup Language (SAML) V2.0", OASIS Security Assertion Markup Language (SAML) V2.0", OASIS
Standard OASIS.saml-profiles-2.0-os, March 2005. Standard OASIS.saml-profiles-2.0-os, March 2005.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication",
RFC 2617, DOI 10.17487/RFC2617, June 1999,
<https://www.rfc-editor.org/info/rfc2617>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422,
DOI 10.17487/RFC4422, June 2006,
<https://www.rfc-editor.org/info/rfc4422>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[SAMLECP20]
Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile
Version 2.0", OASIS Committee Specification OASIS.sstc-
saml-ecp-v2.0-cs01, August 2013.
[W3C.soap11]
Box, D., Ehnebuske, D., Kakivaya, G., Layman, A.,
Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer,
"Simple Object Access Protocol (SOAP) 1.1", W3C
Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>.
9.2. Normative References for GSS-API Implementers
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, Interface Version 2, Update 1", RFC 2743,
DOI 10.17487/RFC2743, January 2000, DOI 10.17487/RFC2743, January 2000,
<https://www.rfc-editor.org/info/rfc2743>. <https://www.rfc-editor.org/info/rfc2743>.
[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February
2005, <https://www.rfc-editor.org/info/rfc3961>. 2005, <https://www.rfc-editor.org/info/rfc3961>.
[RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
Encryption for Kerberos 5", RFC 3962, Encryption for Kerberos 5", RFC 3962,
DOI 10.17487/RFC3962, February 2005, DOI 10.17487/RFC3962, February 2005,
<https://www.rfc-editor.org/info/rfc3962>. <https://www.rfc-editor.org/info/rfc3962>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121, Interface (GSS-API) Mechanism: Version 2", RFC 4121,
DOI 10.17487/RFC4121, July 2005, DOI 10.17487/RFC4121, July 2005,
<https://www.rfc-editor.org/info/rfc4121>. <https://www.rfc-editor.org/info/rfc4121>.
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, Program Interface (GSS-API)", RFC 4401,
DOI 10.17487/RFC4401, February 2006, DOI 10.17487/RFC4401, February 2006,
<https://www.rfc-editor.org/info/rfc4401>. <https://www.rfc-editor.org/info/rfc4401>.
[RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Kerberos V Generic Security Service Application Program Authentication and Security Layer (SASL)", RFC 4422,
Interface (GSS-API) Mechanism", RFC 4402, DOI 10.17487/RFC4422, June 2006,
DOI 10.17487/RFC4402, February 2006, <https://www.rfc-editor.org/info/rfc4422>.
<https://www.rfc-editor.org/info/rfc4402>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[RFC5554] Williams, N., "Clarifications and Extensions to the [RFC5554] Williams, N., "Clarifications and Extensions to the
Generic Security Service Application Program Interface Generic Security Service Application Program Interface
(GSS-API) for the Use of Channel Bindings", RFC 5554, (GSS-API) for the Use of Channel Bindings", RFC 5554,
DOI 10.17487/RFC5554, May 2009, DOI 10.17487/RFC5554, May 2009,
<https://www.rfc-editor.org/info/rfc5554>. <https://www.rfc-editor.org/info/rfc5554>.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
skipping to change at page 30, line 34 skipping to change at page 29, line 49
Josefsson, "Generic Security Service Application Josefsson, "Generic Security Service Application
Programming Interface (GSS-API) Naming Extensions", Programming Interface (GSS-API) Naming Extensions",
RFC 6680, DOI 10.17487/RFC6680, August 2012, RFC 6680, DOI 10.17487/RFC6680, August 2012,
<https://www.rfc-editor.org/info/rfc6680>. <https://www.rfc-editor.org/info/rfc6680>.
[RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS- [RFC7056] Hartman, S. and J. Howlett, "Name Attributes for the GSS-
API Extensible Authentication Protocol (EAP) Mechanism", API Extensible Authentication Protocol (EAP) Mechanism",
RFC 7056, DOI 10.17487/RFC7056, December 2013, RFC 7056, DOI 10.17487/RFC7056, December 2013,
<https://www.rfc-editor.org/info/rfc7056>. <https://www.rfc-editor.org/info/rfc7056>.
9.3. Informative References [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme",
RFC 7617, DOI 10.17487/RFC7617, September 2015,
<https://www.rfc-editor.org/info/rfc7617>.
[RFC7802] Emery, S. and N. Williams, "A Pseudo-Random Function (PRF)
for the Kerberos V Generic Security Service Application
Program Interface (GSS-API) Mechanism", RFC 7802,
DOI 10.17487/RFC7802, March 2016,
<https://www.rfc-editor.org/info/rfc7802>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[SAMLECP20]
Cantor, S., "SAML V2.0 Enhanced Client or Proxy Profile
Version 2.0", OASIS Committee Specification OASIS.sstc-
saml-ecp-v2.0-cs01, August 2013.
[W3C.soap11]
Box, D., Ehnebuske, D., Kakivaya, G., Layman, A.,
Mendelsohn, N., Nielsen, H., Thatte, S., and D. Winer,
"Simple Object Access Protocol (SOAP) 1.1", W3C
Note soap11, May 2000, <http://www.w3.org/TR/SOAP/>.
9.2. Informative References
[OASIS.saml-metadata-2.0-os] [OASIS.saml-metadata-2.0-os]
Cantor, S., Moreh, J., Philpott, R., and E. Maler, Cantor, S., Moreh, J., Philpott, R., and E. Maler,
"Metadata for the Security Assertion Markup Language "Metadata for the Security Assertion Markup Language
(SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March
2005. 2005.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920,
October 2004, <https://www.rfc-editor.org/info/rfc3920>.
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Kerberos and NTLM HTTP Authentication in Microsoft
Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006,
<https://www.rfc-editor.org/info/rfc4559>. <https://www.rfc-editor.org/info/rfc4559>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
March 2011, <https://www.rfc-editor.org/info/rfc6120>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[W3C.REC-xmlschema-1] [W3C.REC-xmlschema-1]
Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
"XML Schema Part 1: Structures", W3C REC-xmlschema-1, May "XML Schema Part 1: Structures", W3C REC-xmlschema-1, May
2001, <http://www.w3.org/TR/xmlschema-1/>. 2001, <http://www.w3.org/TR/xmlschema-1/>.
[WSS-SAML] [WSS-SAML]
Monzillo, R., "Web Services Security SAML Token Profile Monzillo, R., "Web Services Security SAML Token Profile
Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile, Version 1.1.1", OASIS Standard OASIS.wss-SAMLTokenProfile,
May 2012. May 2012.
skipping to change at page 33, line 14 skipping to change at page 33, line 14
Appendix B. Acknowledgments Appendix B. Acknowledgments
The authors would like to thank Klaas Wierenga, Sam Hartman, Nico The authors would like to thank Klaas Wierenga, Sam Hartman, Nico
Williams, Jim Basney, and Venkat Yekkirala for their contributions. Williams, Jim Basney, and Venkat Yekkirala for their contributions.
Appendix C. Changes Appendix C. Changes
This section to be removed prior to publication. This section to be removed prior to publication.
o 15,16,17, avoid expiration o 19, update obsoleted references
o 15,16,17,18 avoid expiration
o 14, address some minor comments o 14, address some minor comments
o 13, clarify SAML metadata usage, adding a recommended Binding o 13, clarify SAML metadata usage, adding a recommended Binding
value alongside the backward-compatibility usage of PAOS value alongside the backward-compatibility usage of PAOS
o 12, clarifying comments based on WG feedback, with a normative o 12, clarifying comments based on WG feedback, with a normative
change to use enctype numbers instead of names change to use enctype numbers instead of names
o 11, update EAP Naming reference to RFC o 11, update EAP Naming reference to RFC
 End of changes. 15 change blocks. 
66 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/