Re: Draft SAML 2.0 Change Requirements, v1.5

[Anne Anderson <Anne.Anderson@Sun.com>]

On 5 September, D.W.Chadwick writes: Re: Draft SAML 2.0 Change Requirements, v1.5
 > > 2. Way to indicate in the Query that an XACML Request Context
 > >    (note: might not match input Request) is to be returned as
 > >    part of the Decision.  This would usually be the input Request
 > >    augmented with at least any additional attribute values used
 > >    in evaluating the Request against applicable policies.
 > 
 > As well as being augmented, I think it is equally important that the
 > returned context has the ability to eliminate unused, untrusted,
 > expired, invalid etc attributes that the policy did not and cannot ever
 > use. ie. redundant baggage.

Fine.

 > > 3. Way to indicate in the Query whether the PDP is free to
 > >    collect Attributes for use in making the Decision from sources
 > >    other than the XACML Request Context passed in the Query.
 > 
 > and to be able to point to those sources e.g. by a URI

This would be in the XACML Request Context itself, and probably
not in the SAML envelope.  We have an XACML 2.0 Work Item for
this, championed by Daniel Engovatov of BEA.

 > > 6. Way to pass an XACML Policy/PolicySet in a Query, along with
 > >    an indication that such a policy is being supplied and whether
 > >    this Policy/PolicySet is to be used alone or in conjunction
 > >    with other Policies/PolicySets available to the PDP in
 > >    evaluating the Query.
 > > 
 > 
 > and how the policies are to be prioritised (precedence rules) if used in
 > conjunction with each other (although this could be part of the policy
 > itself).

Good points.

 > > 3. SAML AttributeQuery and Response syntax, allowing an entity
 > >    to request Attributes of a given Subject or Resource, plus an
 > >    indication whether only specific Attributes (identified in the
 > >    Query by AttributeId) are to be returned, or whether all
 > >    Attributes of the given Subject or Resource known to the
 > >    Attribute Authority are to be returned.
 > 
 > by known, I take it you mean trusted and validated.
 > e.g. the AA may know the role attribute type, and certain role values,
 > but a given role attribute may have an unknown value. Should it be
 > returned or not?

Yes, I mean trusted, validated, and known values for a particular
subject.

 > > 4. Schema-aware canonicalization for SAML schema instances and
 > >    encapsulated payloads, including at least DataType
 > >    normalization, deterministic ordering of elements and
 > >    attributes, and default attribute and element values, such
 > >    that digital signatures can be applied to the output and
 > >    verified by another entity that may have parsed and re-encoded
 > >    the signed content.
 > 
 > Also the ability to include binary representations of signed attributes
 > in another standard format (e.g. X.509) that has its own
 > canonicalisation rules.

Canonicalization would have to cover base64Encoding and hexBinary
representations of the binary content, but the binary content
itself is not a C14N issue: if it is binary, it is already
canonicalized.

 > > 5. Possibly: SAML Policy Query syntax, allowing a PDP to request
 > >    a Policy/PolicySet by its Policy[Set]Id from an on-line Policy
 > >    Administration Point (are there any online PAPs?  If not, no
 > >    need for this).
 > 
 > Once we get into policy management, then the following sorts of services
 > are needed
 > 
 > i) the ability to query the PDP to ask about the policy it is currently
 > using
 > ii) the ability to update/set policy in the PDP (either directly, or
 > indirectly by giving it a command to Refresh policy)

I don't think we are ready to address this now, although it is
certainly important - it is too big topic for the SAML 2.0 time
frame.  XACML implementations already have and need APIs for
retrieving policies, however, so I think a Policy Query is
possibly in scope for 2.0 (although unless there are actual
online PAPs in the making, I don't think we should push the
functionality in yet).

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692