[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Rev 06 of core spec -- need input
Scott and John K. have done a lot of work, and I've done a little, on this latest draft of the core spec. I'm not sure where we've gotten on the corresponding schema changes; will try to sync this up soon. Please make sure to review all the change-bar material and read the description blurb below. Some other points that also need to be vetted: - Slightly softened language around how message senders and messages are authenticated. - This draft reflects the new lines we're starting to draw between bindings and profiles (e.g. "logout protocol bindings"). This will require coordination with Frederick. - Naming is now inconsistent. SAML previously used long names; Liberty shortened some for efficiency reasons. So we now have <AuthenticationStatement> but <AuthnRequest>, and <NameIdentifier> but NameIDPolicy. We need to decide whether (a) the inconsistency is okay, (b) if not, which way we go for what reasons, and (c) whether we want to do a full-on succinctness assault. - The proposal for the new <ProxyRestrictionCondition> brings to light an old SAML ugliness: <Conditions> contains a repeatable bag of subelements, necessitating verbiage about what to do when more than one subelement appears (which has been done in the case of the new subelement, but not the old ones). Options: (1) Add prose requirements (not expressible in XSD) that subelements MUST appear a maximum of once in <Conditions> (the simplest); (2) change <Conditions> backwards-incompatibly to contain an ordered list of 0..1 of each subelement (my favorite); (3) add lots more SHOULD prose to the old subelement descriptions, similar to what's in the new one (yuck). - The set of protocols is now inconsistent wrt response messages. Some use the <Response> element, and some use specifically named <RegisterNameIdentifierResponse>, <FederationTerminationResponse>, and <LogoutResponse>, though they're bound to the same complex type as <Response> is. Which way to unify this? Eve Eve.Maler@Sun.COM wrote: > The document sstc-saml-core-2.0-draft-06-diff.pdf has been submitted by Eve Maler (eve.maler@sun.com) to the OASIS Security Services TC document repository. > > Document Description: > Added AssertionURIReference (W-19), a proposal for ProxyRestrictionCondition, and a proposal for AuthNRequest/Response (related to many work items). Fleshed out LogoutRequest/Response (W-1). Implemented the freezing of authZ decision statement functionality (W-28b). OpenOffice.org and non-change-bar PDF forms also being uploaded. > > Download Document: > http://www.oasis-open.org/apps/org/workgroup/security/download.php/5600/sstc-saml-core-2.0-draft-06-diff.pdf > > View Document Details: > http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=5600 > > > PLEASE NOTE: If the above links do not work for you, your email application > may be breaking the link into two pieces. You may be able to copy and paste > the entire link address into the address field of your web browser. > > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]