[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Presumptuous comments on SAML core-19 draft
I have a bunch of editorial comments on the core-19 draft. As I started working on the Section 1 intro and Section 1.1, I found that the easiest thing was to actually work on the .doc file directly; the comments are fairly invasive (though hopefully they're technically neutral) and it would be a waste of time to try to write out all the suggestions separately. I have attached a .doc file that contains just my reworked version of the beginning of core-19, and below I've also supplied a text version (produced by saving Word as .txt with line breaks and doing a little tweaking) just to make it easier for people to read. Phill, if you're amenable to these suggestions, perhaps we could coordinate on more such excursions over the next week or two. I'm also happy to do things like making the use of Word styles more consistent, etc. Eve * * * 1 SAML Concepts [WE NEED A WHOLE BUNCH OF INTRO/CONCEPTUAL STUFF HERE. IT SHOULD INCLUDE TERMINOLOGY AND POSSIBLY A CONFORMANCE SECTION.] 2 SAML Schema Organization and Namespaces The XML format for SAML is primarily defined by a set of two schemas encoded in W3C XML Schema form [XML-Schema1][XML-Schema2]. Additional constraints on this format are provided by the text of this specification. The SAML request/response protocol structures are defined in a schema associated with the following XML namespace [TEMPORARY]: http://www.oasis-open.org/committees/security/docs/draft-sstc-schema- protocol-19.xsd The SAML assertion structures, which MAY be used independently of the SAML protocol structures, are defined in a schema associated with the following XML namespace [TEMPORARY]: http://www.oasis-open.org/committees/security/docs/draft-sstc-schema- assertion-19.xsd The assertion schema imported into the protocol schema. Also imported into both schemas is the schema for XML Signature [XML-SIG-XSD], which is associated with the following XML namespace: http://www.w3.org/2000/09/xmldsig# The XML Signature element ds:KeyInfo, defined in [XML-SIG]§4.4, is of particular interest in SAML. XML namespace prefixes are used throughout the schema code examples in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example: ? The prefix samlp: stands for the SAML request/response protocol namespace. ? The prefix saml: stands for the SAML assertion namespace. This is the default namespace where no prefixes are provided in message protocol examples. ? The prefix ds: stands for the XML Signature namespace. ? The prefix xsd: stands for the XML Schema namespace. This is the default namespace where no prefixes are provided in schema code examples. 3 SAML Assertion Schema A SAML assertion is a package of information that provides a statement of "fact" according to the issuer of the assertion. SAML allows issuers to make three different kinds of statement: ? Authentication: The specified subject was authenticated by a particular means at a particular time. ? Authorization decision: A request to allow the specified subject to access the specified object has been granted or denied. ? Attribute: The specified subject is associated with the supplied attributes. A SAML assertion has a nested structure. An inner AuthenticationStatement, AuthorizationStatement, or AttributeStatement element contains the specifics of the statement, while an outer generic Assertion element provides metadata about the assertion. The metadata for an assertion MUST include at least the major and minor version of the SAML syntax, a unique assertion identifier, an issuer identifier, and the date and time the assertion was issued. In addition, an assertion MAY provide additional conditions and advice. The nested structure is designed to allow other specifications to add novel kinds of statements that use SAML assertion metadata. Possible additional applications include management of embedded trust roots [XTAML] and authorization policy information [XACML]. The following schema defines the XML namespaces for the assertion schema. <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> <schema targetNamespace="http://www.oasis- open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft- sstc-schema-assertion-19.xsd" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <annotation> <documentation>draft-sstc-schema-assertion-19.xsd</documentation> </annotation>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC