OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Issues from SAML/XACML review


Anne Anderson and I met today to review the portions of the SAML and
XACML specs that reference each other, to ensure that things are
properly in sync.  We also reviewed other SAML changes, such as
incorporation of XML Encryption, to check that they didn't impact
XACML's usage of SAML.

Anne found a few things on the XACML side that need cleanup; I assume
she will summarize to the XACML list as necessary.  (One that may be of
interest here: There was an outdated use of <samlp:Request>, an element
that no longer exists in SAML V2.0.  So it's a good idea all around that
we did this review!)

I discovered the following issues in the SAML Profiles doc; line numbers
are from the non-change-bar version found here:

http://www.oasis-open.org/committees/download.php/9464/sstc-saml-profiles-2.0-cd-02.pdf

1. Line 265: In the namespace prefix table, the xacmlprof: row should
reference the "XACML" attribute profile, not "LDAP".  This is just a typo.

2. Line 1970: It would be more correct to say that "The optional XML
attribute FriendlyName (defined in [SAMLCore]) MAY be used for this
purpose, but is not translatable into *an* XACML attribute equivalent"
(not *the*, since there is no XACML equivalent).  I believe this can be
considered a simple editorial clarification.

3. Lines 1986-8: The sentence "For data types corresponding to the types
defined in Section 3.3 of [Schema2], the xsi:type XML attribute
SHOULD also be used." is perhaps questionable because the XACML spec has
no corresponding SHOULD, and presumably this attribute profile exists to
serve interop.  Do we want to retain this as a SHOULD, or would it be
more proper to turn it into a non-normative note that merely explains
the presumed relationship between DataType and any presence of xsi:type?
  It seems to me to be a sufficiently non-substantive point that it's
safe to muck with if we wish.  In any case, it's probably worth
editorially clarifying that xsi:type would appear on <AttributeValue>,
not the parent <Attribute> (as opposed to the DataType attribute, which
appears on <Attribute>).

	Eve
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]