OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] FW: [xacml] Potential SAML issues




-----Original Message-----
From: Sekhar Vajjhala - Sun Microsystems
[mailto:sekhar.vajjhala@sun.com]
Sent: Monday, January 14, 2002 4:10 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] Potential SAML issues


SAML ISSUES

These are some of the potential SAML issues. Most of them
were found when attempting to write J2SE policy files
in XACML sytanx. Further discussion is needed on these
issues.

ISSUE: saml:Action is a "string"

     saml:Action is currently specified as a "string". Making Action
     an abstract type  would allow it to be extended. This would allow
     the content model to be defined by a schema external to the SAML
     spec.
 
     Thus what constitues an action could be determined by the J2SE
schema.

ISSUE: saml:AuthorizationQuery requires actions.

     If actions are optional for XACML, then why should <saml:Actions>
     be required in <saml:AuthorizationQuery> ? Both the wording in
     the SAML assertions draft as well as the SAML schema place
     such a requirement. saml:Actions should be optional in the
     AuthorizationQuery to accomodate queries without actions.

     At least for now, I don't anticipate this as an issue for J2SE.

ISSUE: single subject in AuthorizationQuery

     saml:AuthorizationQuery currently only contains a single
     Subject. While a saml:Subject can support multiple NameIdentifier
     or SubjectConfirmation or AssertionSpecifier elements, it
     is required that they all belong to the same principal. So
     a single subject cannot be used for unrelated principals.

     In J2SE, there is a need to base access control on multiple
     principals which are not related and this therefore points to
     to a need for more than one Subject in the saml:AuthorizationQuery

     NOTE: The way out of this appears to be extend
SubjectQueryAbstractType.

-- 
Sekhar

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC