OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comments on Issuer Format proposal (28d-draft-solution-0.1.pdf)


> The document 28d-draft-solution-0.1.pdf has been submitted by 
> Rebekah Lepro (rlepro@arc.nasa.gov) to the OASIS Security 
> Services TC document repository.
> 
> Document Description:
> Initial draft of solution proposal for reconciliation of the 
> Issuer format between SAML assertions and XACML 
> AttributeDesignators (work item 28d).   This request from the 
> XACML TC dates at least to 09/2002.
> 
> Download Document:  
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/3667/28d-draft-solution-0.1.pdf
> 
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=3667

The gist of this proposal is that the SAML Assertion element be extended with one additional attribute, to indicate the "format" of the issuer.

My first comment is that if this attribute is added, it should be called "IssuerFormat" to make it clear that it modifies the "Issuer" attribute, and does not designate the format of any other part of the Assertion.

That said, I have many of the same concerns about this attribute as I expressed in my previous response to work item 28b, the SAML Attribute proposal.

If the format is optional, it must be clearly specified that it can also be completely ignored. That is,

<Assertion issuer="fred" issuerFormat="oid">...

may safely be treated the same as

<Assertion issuer="fred">...


My next question is, do we really want this to identify the *format* of the issuer attribute, or do we really intend to indicate the *classification* of the issuer. Saying that a particular string is an OID just tells me that it's numbers with dots between; it doesn't tell me whether it's an X509 certificate extension, an LDAP or X500 attribute, or an SNMP MIB.

In any case, I'd like to see a clear use case where knowing either the format or the classification makes a real difference to a SAML or XACML deployment.

 - irving -


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]