RE: [security-services] Could use advise on changing the SAML FAQ

["Philpott, Robert" <rphilpott@rsasecurity.com>]

I like your latest suggest.  My thoughts then are:
- "What is SAML's history and background? - describe SSTC origin and
original contributed inputs.
- "What are the differences between SAML versions?" - Use much of
Eve's/my text.
- "What is in SAML's future?" - New profiles, Errata updates, Minor
revisions as needed based on deployment feedback, etc.


Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

> -----Original Message-----
> From: Eve.Maler@Sun.COM [mailto:Eve.Maler@Sun.COM]
> Sent: Tuesday, October 11, 2005 10:56 AM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Could use advise on changing the SAML FAQ
> 
> I got a bit stumped when working on my action item to change the
> SAML FAQ (http://www.oasis-open.org/committees/security/faq.php) so
> that it doesn't talk about "slight" incompatibilities.  Rob gave me
> some input but suggested I check with the TC to be sure.
> 
> This is about the paragraph under the question "What is SAML's
> history and background? What is in SAML's future?" that reads as
> follows:
> 
> "Approval of SAML v1.1 followed in September 2003. This version
> focused on improving interoperability and specification clarity
> through experience with Version 1.0, and in particular on tightening
> up the relationship of SAML with XML Signature. In general, minor
> revisions of SAML can be expected to be backwards compatible. This
> version is very slightly incompatible with SAML v1.0 in the area of
> XML Signature in order to take advantage of new knowledge about XML
> Signature processing."
> 
> I was instructed "to change the FAQ answer for 1.0-to-1.1 to remove
> the suggestion of compatibility and to comment on the fact that
> products that support V1.0 also implement V1.1, such that it's a
> product compatibility issue and a partner communication/contract
> issue to choose one."
> 
> My attempt at a revision resulted in the following, which felt like
> it was answering questions that hadn't been asked:
> 
> "Approval of SAML v1.1 followed in September 2003. This version
> focused on improving interoperability and specification clarity
> through experience with Version 1.0, and in particular on tightening
> up the relationship of SAML with XML Signature.  Typically, products
> that offer SAML v1.0 support also offer SAML v1.1 support.  As in
> any situation, if you are making a decision about which version to
> deploy, you should check on product compatibility among your
> identity federation partners and ensure that any
> deployment/configuration agreements specify the correct version."
> 
> Rob's attempt went like this:
> 
> "Approval of SAML v1.1 followed in September 2003. This version
> focused on improving interoperability and specification clarity
> through experience with Version 1.0, and in particular on tightening
> up the relationship of SAML with XML Signature.  The nature of these
> changes resulted in certain backward compatibility issues for SAML
> V1.0 and V1.1, so in general, these two versions are considered to
> be incompatible when different versions of SAML are configured
> between partners. Products have been introduced to the market that
> support both SAML V1.0 and V1.1, although they typically require any
> specific configuration of any two cooperating partners to use the
> same version of SAML. As in any situation, if you are making a
> decision about which version to deploy, you should check on product
> compatibility among your identity federation partners and ensure
> that any deployment/configuration agreements specify the correct
> version."
> 
> I like Rob's new/changed text on top of mine.  My only additional
> thought is that maybe we want to break out much of this detailed
> stuff into a separate question like "What are the differences
> between SAML v1.0 and SAML v1.1?" -- or add it to the question
> currently called "What's new in SAML v2.0?" and change the 	question
> to "What are the differences between SAML versions?"  Then we could
> broaden the product deployment and configuration advice so that it
> applies to any version.
> 
> What do people think?  Can we spend one minute on this issue in
> today's call?
> 
> 	Eve
> --
> Eve Maler                                         +1 425 947 4522
> Technology Director                           eve.maler @ sun.com
> CTO Business Alliances group                Sun Microsystems, Inc.
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php