[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Draft SAML 2.0 Change Requirements, v1.5. Forwarded message from D.W.Chadwick.
------- start of forwarded message ------- From: "D.W.Chadwick" <D.W.Chadwick@salford.ac.uk> To: Anne.Anderson@sun.com Subject: Re: Draft SAML 2.0 Change Requirements, v1.5 Date: 5 Sep 2003 19:56:54 +0100 This is a multi-part message in MIME format. --------------9F76406F4D42C1CB119A050D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Anne just a few comments on your draft requirements Anne Anderson wrote: > ------------------------------------------------------------------------ > Proposed SAML 2.0 Changes from XACML TC and OGSA > Editor: Anne Anderson <Anne.Anderson@sun.com> > Version: 1.5, 03/09/05 (yy/mm/dd) > > *******************DISCUSSION DRAFT*************************** > > ===================================================================== > A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response > ===================================================================== > > 1. Way to pass an XACML Request Context in the Query and an XACML > Response Context in the Decision. Should not extend > SubjectQueryAbstractType and SubjectStatementAbstractType > because Subject element is redundant and inconsistent with > Subject information in the XACML Request and Response. > 2. Way to indicate in the Query that an XACML Request Context > (note: might not match input Request) is to be returned as > part of the Decision. This would usually be the input Request > augmented with at least any additional attribute values used > in evaluating the Request against applicable policies. As well as being augmented, I think it is equally important that the returned context has the ability to eliminate unused, untrusted, expired, invalid etc attributes that the policy did not and cannot ever use. ie. redundant baggage. > 3. Way to indicate in the Query whether the PDP is free to > collect Attributes for use in making the Decision from sources > other than the XACML Request Context passed in the Query. and to be able to point to those sources e.g. by a URI > 4. Associate a DataType with an Issuer name, such that the name > can be determined to be a string, an X.500 Distinguished Name, > etc. > 5. Way to return an XACML Policy/PolicySet in a Decision as a > condition that must evaluate to "Permit" in order for the > Decision to be valid. Way to indicate that such a condition > is associated with the Decision. Might be appropriate to put > this condition and indication into the XACML Response Context > itself rather than into the SAML envelope. > 6. Way to pass an XACML Policy/PolicySet in a Query, along with > an indication that such a policy is being supplied and whether > this Policy/PolicySet is to be used alone or in conjunction > with other Policies/PolicySets available to the PDP in > evaluating the Query. > and how the policies are to be prioritised (precedence rules) if used in conjunction with each other (although this could be part of the policy itself). > ============================== > B. Other Abstract Requirements > ============================== > > 1. Better correspondence between SAML Attribute format and XACML > Request Context Attribute format such that SAML Attributes can > be translated into XACML Request Context Attributes > mechanically and easily. > 2. SAML Policy Statement syntax, allowing an issuer to state and > sign an XACML Policy/PolicySet. > 3. SAML AttributeQuery and Response syntax, allowing an entity > to request Attributes of a given Subject or Resource, plus an > indication whether only specific Attributes (identified in the > Query by AttributeId) are to be returned, or whether all > Attributes of the given Subject or Resource known to the > Attribute Authority are to be returned. by known, I take it you mean trusted and validated. e.g. the AA may know the role attribute type, and certain role values, but a given role attribute may have an unknown value. Should it be returned or not? > 4. Schema-aware canonicalization for SAML schema instances and > encapsulated payloads, including at least DataType > normalization, deterministic ordering of elements and > attributes, and default attribute and element values, such > that digital signatures can be applied to the output and > verified by another entity that may have parsed and re-encoded > the signed content. Also the ability to include binary representations of signed attributes in another standard format (e.g. X.509) that has its own canonicalisation rules. > 5. Possibly: SAML Policy Query syntax, allowing a PDP to request > a Policy/PolicySet by its Policy[Set]Id from an on-line Policy > Administration Point (are there any online PAPs? If not, no > need for this). Once we get into policy management, then the following sorts of services are needed i) the ability to query the PDP to ask about the policy it is currently using ii) the ability to update/set policy in the PDP (either directly, or indirectly by giving it a command to Refresh policy) David --------------9F76406F4D42C1CB119A050D Content-Type: text/x-vcard; charset=us-ascii; name="d.w.chadwick.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for David Chadwick Content-Disposition: attachment; filename="d.w.chadwick.vcf" begin:vcard n:Chadwick;David tel;cell:+44 77 96 44 7184 tel;fax:+44 1484 532930 tel;home:+44 1484 352238 tel;work:+44 161 295 5351 x-mozilla-html:FALSE url:http://www.salford.ac.uk/its024/chadwick.htm org:University of Salford;IS Institute version:2.1 email;internet:d.w.chadwick@salford.ac.uk title:Professor of Information Security adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500: http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5 x-mozilla-cpt:;-4856 fn:David Chadwick end:vcard --------------9F76406F4D42C1CB119A050D-- ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]