[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups -sstc-saml2-profiles-x509-draft-11.odt uploaded
Scott, I agree with your definition of "deployment profile" but I'm thinking that I should not change the document name scheme for the original attribute sharing "profile" with the new draft, to avoid confusion w.r.t. to the document's history/status. ::Ari > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Friday, September 29, 2006 4:24 PM > To: 'Tom Scavo'; security-services@lists.oasis-open.org > Subject: RE: [security-services] Groups - > sstc-saml2-profiles-x509-draft-11.odt uploaded > > > > - It is not clear what is meant by "deployment profile." > > My rough definition is any profile that simply takes an existing SAML > profile and constrains the optional behavior and choices in > ways that really > don't change the original intent. To me, if I can configure existing > software that implements a profile to meet your profile, than > what you have > is not a new profile in the broad sense, it's just knob turning. > > The benefit of packaging it all up is clear, I'm not arguing > against that, > but it's not quite the same thing as defining wholly new profiles. > > > I agree that > > the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion > > Profile for X.509 Subjects" are not "profiles" as the word is often > > used, but the "SAML Attribute Query Profile for X.509 Subjects" and > > the "SAML Attribute Self-Query Profile for X.509 Subjects" > are indeed > > profiles associated with specific use cases. > > Not to me. I think they're standard queries. Especially the > self-query. > That's nothing but a presumption that leads to policy like "I > can ask for > anything about myself". That's never been in scope, but it's > always been > legal, and in 2.0 it's even directly expressible inside the > request (via > Issuer == Subject). > > How is that different from "SAML Attribute Query-By-Partner for X.509 > Subjects"? The only difference is who's asking. I think we > have to draw a > line somewhere when things start moving beyond the scope of > the standard. > There's a name for the complete set of everything you're > doing at runtime, > but I think SAML profile is a little less than that. > > So, "deployment profile" is my name for that sort of complete > document that > lays out how a given application in some community is doing things. > > > Moreover, the use case > > associated with the "SAML Attribute Query Profile for X.509 > Subjects" > > is precisely the same use case that motivates the "SAML Attribute > > Sharing Profile for X.509 Authentication-Based Systems", so > if one is > > not a profile, neither is the other. > > Which I've argued repeatedly, so I don't think I'm being inconsistent. > > -- Scott > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]