OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Resource sets and resource string semantics

Folks,
I would like to table the issue of assertions over sets of resources
for discussion and also the related issue of the semantics of
resource strings.

To explain what I mean, consider the following example culled from one
of the early v-model example documents and adapted in an attempt to
make it roughly consistent with current specification. I am probably
committing hideous syntactic sins, so please accept my apologies for
this.

<Assertion>
   <AssertionID>http://www.bizexchange.test/assertion/AE0221
   <Issuer>URN:dns-date:www.bizexchange.test:2001-01-03:19283
   <IssueInstant> <!-- not sure of the valid syntax here --> 
   <ValidityInterval>
      <NotBefore>
      <NotOnOrAfter>
   <Claims>
   <Authority>   
       <Subject>
          <Account>Alice
       <Object>
         <Resource>http://store.carol.test/finance
 
<Resource>URN:dns-date:www.bizexchange.test:2001-01-04:right:finance
       <Action>
         <!-- Not sure what goes here see lines 558-565 --> 
   <Conditions>
      <Audiences>http://www.bizexchange.test/rule_book.html
   <Advice> <!-- omit for this discussion -->

The intent of this assertion is to specify authorizations associated
with Alice's account.

Suppose I want to issue an assertion allowing Alice to access all
resources on a large web site with a dynamic resource set,
e.g. http://www.hp.com/ 

Clearly it is not possible to enumerate the entire resource set. So
how do we handle this case?

It occurs to me that some may feel that this sort of assertion should
be considered by XACML, rather than SAML. I guess one possible
resolution is to leave it to XACML.

A related issue is the semantics of resource strings. I believe we
need to define what these are. Suppose one of the <Resource> elements
contains the following: http://www.hp.com/ 

What are the semantics: the home page or everything under it? In my opinion
serious security issues will arise if the asserting party and relying
party apply different semantics.

If it is felt these issues should be discussed at a teleconference, I
regret that I will not be able to attend the May 8th teleconference as
I will be travelling (on board an aircraft at the time of the
teleconference). I currently plan to attend all the other
teleconferences in May.

Nigel.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC