[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [OASIS members] SAML Committee Specification for consideration asOASIS Standard
OASIS members: The OASIS Security Services TC has submitted the SAML V1.0 specification, which is an approved Committee Specification, for review and consideration for approval by OASIS members to become an OASIS Standard. In accordance with Section 2 of the OASIS Technical Process (see http://www.oasis-open.org/committees/process.shtml#sec2), OASIS members have one calendar quarter to review this submission then 30 days for voting. The review will take place from 1 July to 30 September 2002, and I will call for a vote on 1 October 2002; each OASIS member organization will have a single vote on the ballot. During the member review period comments may be sent to the TC via the TC's comment list at security-services-comment@lists.oasis-open.org. You must subscribe to the list first before posting; go to http://lists.oasis-open.org/ob/adm.pl The OASIS TC has supplied the following required items for OASIS members to review: ------------ As a result of a unanimous vote of the Security Services Technical Committee conducted on Tuesday 28 May 2002, the TC co-chairs hereby submit the SAML 1.0 specification for consideration as an OASIS Standard. Pursuant to the process stipulated in Section 2 of the OASIS Technical Committee Policy, the TC has published: (a) A formal specification that is a valid member of its type. (b) Appropriate documentation for the specification. This material, in the currently recommended OASIS format, is available on the TC web site at http://www.oasis-open.org/committees/security/#documents These are the normative documents related to the specification. * Assertions and Protocol http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf * Assertion Schema http://www.oasis-open.org/committees/security/docs/cs-sstc-schema-asse rtion-01.xsd * Protocol Schema http://www.oasis-open.org/committees/security/docs/cs-sstc-schema-prot ocol-01.xsd * Bindings and Profiles http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-01 .pdf * Conformance Program Specification http://www.oasis-open.org/committees/security/docs/cs-sstc-conform-01. pdf * Glossary http://www.oasis-open.org/committees/security/docs/cs-sstc-glossary-01 .pdf Non-normative information related to the specification: * Security and Privacy Considerations http://www.oasis-open.org/committees/security/docs/cs-sstc-sec-conside r-01.pdf * Open issues summary document http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-iss ues-status-06.pdf * Issues list http://www.oasis-open.org/committees/security/docs/draft-sstc-saml-iss ues-12.pdf * Errata document describing changes from the 00 to the 01 revision http://www.oasis-open.org/committees/security/docs/draft-sstc-cs-errat a-04.pdf (c) A clear English-language summary of the specification. The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A typical example of a subject is a person, identified by his or her email address in a particular Internet DNS domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources. Assertions are represented as XML constructs and have a nested structure, whereby a single assertion might contain several different internal statements about authentication, authorization, and attributes. Note that assertions containing authentication statements merely describe acts of authentication that happened previously. Assertions are issued by SAML authorities, namely, authentication authorities, attribute authorities, and policy decision points. SAML defines a protocol by which clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding, to SOAP over HTTP. SAML may be profiled to enable Single Sign-On (SSO), the ability of a user to authenticate in one domain and use resources in other domains without re-authenticating. The SAML specifications define two Web Browser SSO Profiles. However, note that SAML can be profiled to support various non-SSO-specific usage scenarios, such as in authorization systems. (d) Certifications of implementation The chairs are pleased to report that more than 10 companies have provided attestations of implementation and use for SAML 1.0. As SAML 1.0 conformance allows for modular implementation of the specification, the committee has determined that each aspect of the specification has been implemented by at least 5 companies. All implementers have been made aware of IPR claims regarding the specification and insofar as any processes have been established for complying with these claims, each implementer believes they have taken adequate steps to comply with any such rights, or claimed rights. A complete list of attestations from implementers are available in the Security Services TC e-mail archives. The following representative list of attestations of implementation and acknowledgment of IPR claims satisfies the OASIS requirement for submitting a specification for review: Sun Microsystems http://lists.oasis-open.org/archives/security-services/200205/msg00040 .html http://lists.oasis-open.org/archives/security-services/200206/msg00021 .html Oblix http://lists.oasis-open.org/archives/security-services/200205/msg00045 .html http://lists.oasis-open.org/archives/security-services/200206/msg00019 .html Quadrasis http://lists.oasis-open.org/archives/security-services/200205/msg00038 .html http://lists.oasis-open.org/archives/security-services/200206/msg00029 .html CrossLogix http://lists.oasis-open.org/archives/security-services/200205/msg00037 .html http://lists.oasis-open.org/archives/security-services/200206/msg00026 .html Entrust http://lists.oasis-open.org/archives/security-services/200205/msg00074 .html http://lists.oasis-open.org/archives/security-services/200206/msg00027 .html Internet2 http://lists.oasis-open.org/archives/security-services/200205/msg00030 .html http://lists.oasis-open.org/archives/security-services/200206/msg00028 .html Novell http://lists.oasis-open.org/archives/security-services/200206/msg00000 .html http://lists.oasis-open.org/archives/security-services/200206/msg00030 .html Sigaba http://lists.oasis-open.org/archives/security-services/200205/msg00043 .html http://lists.oasis-open.org/archives/security-services/200206/msg00031 .html Baltimore http://lists.oasis-open.org/archives/security-services/200205/msg00042 .html http://lists.oasis-open.org/archives/security-services/200206/msg00033 .html (e) History of previous OASIS standardization attempts. There have been no past attempts to submit SAML for OASIS standardization. (f) Publicly visible comments archive. The Security Services TC comment archive can be found at http://lists.oasis-open.org/archives/security-services-comment/ (g) OASIS IPR policy statement. The chairs certify that all members of the TC have been provided with a copy of the OASIS IPR policy. Respectfully submitted, Joe Pato & Jeff Hodges Co-Chairs OASIS Security Services TC </karl> ================================================================= Karl F. Best OASIS - Director, Technical Operations +1 978.667.5115 x206 karl.best@oasis-open.org http://www.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC