[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on XSPA profile
Section 1: On the call I suggested that this could use more explanatory text as to the nature of the profile being presented, because SAML is so varied. I think the bulk, if not all, of this profile is about Attributes. In that vein, I would also add more to the Non-Goals section to clarify what isn't covered, namely protocols for acquiring or delivering assertions. Section 3: One reason I found identifying the scope of the profile confusing was the broad language here. I don't think it's fair to say this profile "provides access control..." if all it's concerned with is formalizing attribute usage. Without the protocols and the rest of the assertion content, it's really a very small piece of that picture. Section 3.1: It's slightly confusing to present all these interactions when the profile doesn't really describe them. I think I would collapse a lot of this into the introductory section that just motivates the material, rather than including it in the formal section 3 that defines the profile. Section 3.1.3: I think we need to be careful using the word "Attributes". If the intent here is that these are SAML attributes, it should probably say so. I think it's meant more abstractly here, in which case I would make that clearer. Sections 3.2/3/4/5: I'm not sure that any of this is worth including. In particular, it seems to be out of scope, and it's not reading as normative. 3.4 also seems questionable since SAML 2.0 doesn't define anything called "error states", and to the extent that it deals with errors at all, it's at the protocol level (which I don't think you're intending to use). Section 3.6: I think you're trying to say that you're not constraining confirmation methods, but if so, why include it at all? More importantly, the rest of the text is inaccurately referencing material that is not related to SAML confirmation methods in any direct way. Since I think without the protocol context, it's impossible to really say anything about the non-statement content of the assertion (e.g. subject confirmation, conditions, signing), I would suggest just avoiding it or ruling it out of scope in the way I suggested earlier. Section 3.7: The title and the sentence don't really go together. Use of metadata doesn't seem to be in scope of this profile (again, no protocols), and use of AttributeStatements isn't really a "metadata definition". I think what you're trying to say is that the assertions are intended to carry only AttributeStatements? Frankly, I'm not sure that's wise. Section 3.8: Naming Syntax, Restrictions and Acceptable Values...of what? Section 3.9/10/11: This frankly to me is what the profile is trying to be, and should probably be the whole of section 3. In that event, I would suggest structuring the document as an attribute profile in the fashion of the SAML profiles that were done. The bases are mostly covered here. Section 3.10: Are you trying to constrain equality of attribute names, or values? Section 3.11: Avoid the word namespace here, it does not have any meaning in this context. I think you're trying to say that you want to define a URN prefix to use for your attribute names. That's about the only technical term I could think of for what you mean by namespace. In your examples, the XML is incorrect with regard to the xsi:type attribute, which is not a URL, but a QName (e.g. xs:string). I think XACML uses URLs, but XML Schema doesn't. The remainder of this section I think is defining actual Attribute "types" (in LDAP parlance). We have a couple of profiles that do that in SAML, I think, so that format could be emulated. Additional comments: OASIS requires profiles to have a conformance section now, which we've been putting at the beginning of the doc. The document is also missing some required boilerplate, and the references need some clean up to align with our usual conventions there. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]