Comments on S2ML .8a

["Joseph M. Reagle Jr." <reagle@w3.org>]

I apologize if this is the wrong list for comments on this document, but 
I've been trying to keep up and comment on various XML  security proposals 
and some don't have much metadata associated with them, like where to send 
comments. <smile> For instance, I've already sent a few comments on AuthXML 
[1] and XKMS [2] and I hope they went to the right place. Which brings me to 
my second "meta-comment", I still don't have a very good big-picture of the 
relationship between these things. (For instance, S2ML makes reference of 
TAS, which mentions XKMS, so I assume their somehow related.) I don't say 
this to criticize, this is cool though nascent stuff; I say this by way of 
asking patience for any stupid questions or assumptions on my part.

[1] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0002.html
[2] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0004.html

So on that note and in trying to understand the S2ML specification I'm 
having some difficulty with the concepts of Assertions and Entitlements, 
Authentication and Authorization. For instance, X-TASS seems to describe an 
assertion capability, but I don't understand the generic/abstract case. I 
see it has some metadata about the assertion (Issuer, assertionUID, 
ValidityDate) and how to express two types of specific assertions (1) access 
to resources and (2) a services opinion of others assertions validity, but I 
don't understand if it's suppose to be something generic -- like SPKI tuples 
or RDF statements?

Then S2ML itself speaks of NameAssertion, which is a statement about 
"authentication type, subject name and authenticator." Entitlement is an 
assertion too (so maybe it should be called EntitlementAssertion, or 
assertion should have a pure definition, and these other things not use the 
term?) about authorization. These things seem to have some things in common, 
but I'm not sure what their differences are, same with 
Authentication/Authorization (and Credentials...) Some of the differences 
seems to be that they expect to occur in a query versus a response, which 
seems odd. For instance, one could define it such that a query is a query, 
and a response is a response, and one can then make all manner of 
authorization, authentication responses and queries.

So, sorry if that's confused but I know I would understand better if I had 
some data model behind it, and/or term ontology in which things were clearly 
pulled apart:
assertion: w is x.
entitlement: an assertion of the form where w is of {a,b,c} and x is of {d}
authorization: an assertion of the form where w is of {g} and x is {s,t}
request: y is (w is x) bound to some protocol
response: z is (y is (w is x)) bound to some protocol.

I'm clearly no logic whiz, but I'm thinking differences between 
syntax/semantic (how to make a statement), protocol (how to send statements 
back and forth), and query (statements like a database query or XML query 
where I want to get a statement returned (using the protocol) of a 
particular type (particular XML or a truth value)).

Ok, with that confused mumbling out of the way, I only have two 
straightforward comments:

Section 4.1, example:
The urn in the Audience element is missing it's NID [3].

Section 5.4.1.1
Why have a AzModel attribute with a namespace since any external content is 
going to namespace qualified anyway (so it will be redundant and/or 
confusing)?

[3] http://www.ietf.org/rfc/rfc2141.txt

__
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/