Re: Draft SAML 2.0 Change Requirements, v1.5. Forwarded message from D.W.Chadwick.

[Anne Anderson <Anne.Anderson@Sun.com>]

------- start of forwarded message -------
From: "D.W.Chadwick" <D.W.Chadwick@salford.ac.uk>
To: Anne.Anderson@sun.com
Subject: Re: Draft SAML 2.0 Change Requirements, v1.5
Date: 5 Sep 2003 19:56:54 +0100

This is a multi-part message in MIME format.
--------------9F76406F4D42C1CB119A050D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Anne

just a few comments on your draft requirements

Anne Anderson wrote:

>   ------------------------------------------------------------------------
> Proposed SAML 2.0 Changes from XACML TC and OGSA
> Editor:  Anne Anderson <Anne.Anderson@sun.com>
> Version: 1.5, 03/09/05 (yy/mm/dd)
> 
> *******************DISCUSSION DRAFT***************************
> 
> =====================================================================
> A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response
> =====================================================================
> 
> 1. Way to pass an XACML Request Context in the Query and an XACML
>    Response Context in the Decision.  Should not extend
>    SubjectQueryAbstractType and SubjectStatementAbstractType
>    because Subject element is redundant and inconsistent with
>    Subject information in the XACML Request and Response.
> 2. Way to indicate in the Query that an XACML Request Context
>    (note: might not match input Request) is to be returned as
>    part of the Decision.  This would usually be the input Request
>    augmented with at least any additional attribute values used
>    in evaluating the Request against applicable policies.

As well as being augmented, I think it is equally important that the
returned context has the ability to eliminate unused, untrusted,
expired, invalid etc attributes that the policy did not and cannot ever
use. ie. redundant baggage.


> 3. Way to indicate in the Query whether the PDP is free to
>    collect Attributes for use in making the Decision from sources
>    other than the XACML Request Context passed in the Query.

and to be able to point to those sources e.g. by a URI

> 4. Associate a DataType with an Issuer name, such that the name
>    can be determined to be a string, an X.500 Distinguished Name,
>    etc.
> 5. Way to return an XACML Policy/PolicySet in a Decision as a
>    condition that must evaluate to "Permit" in order for the
>    Decision to be valid.  Way to indicate that such a condition
>    is associated with the Decision.  Might be appropriate to put
>    this condition and indication into the XACML Response Context
>    itself rather than into the SAML envelope.
> 6. Way to pass an XACML Policy/PolicySet in a Query, along with
>    an indication that such a policy is being supplied and whether
>    this Policy/PolicySet is to be used alone or in conjunction
>    with other Policies/PolicySets available to the PDP in
>    evaluating the Query.
> 

and how the policies are to be prioritised (precedence rules) if used in
conjunction with each other (although this could be part of the policy
itself).

> ==============================
> B. Other Abstract Requirements
> ==============================
> 
> 1. Better correspondence between SAML Attribute format and XACML
>    Request Context Attribute format such that SAML Attributes can
>    be translated into XACML Request Context Attributes
>    mechanically and easily.
> 2. SAML Policy Statement syntax, allowing an issuer to state and
>    sign an XACML Policy/PolicySet.
> 3. SAML AttributeQuery and Response syntax, allowing an entity
>    to request Attributes of a given Subject or Resource, plus an
>    indication whether only specific Attributes (identified in the
>    Query by AttributeId) are to be returned, or whether all
>    Attributes of the given Subject or Resource known to the
>    Attribute Authority are to be returned.

by known, I take it you mean trusted and validated.
e.g. the AA may know the role attribute type, and certain role values,
but a given role attribute may have an unknown value. Should it be
returned or not?

> 4. Schema-aware canonicalization for SAML schema instances and
>    encapsulated payloads, including at least DataType
>    normalization, deterministic ordering of elements and
>    attributes, and default attribute and element values, such
>    that digital signatures can be applied to the output and
>    verified by another entity that may have parsed and re-encoded
>    the signed content.

Also the ability to include binary representations of signed attributes
in another standard format (e.g. X.509) that has its own
canonicalisation rules.


> 5. Possibly: SAML Policy Query syntax, allowing a PDP to request
>    a Policy/PolicySet by its Policy[Set]Id from an on-line Policy
>    Administration Point (are there any online PAPs?  If not, no
>    need for this).

Once we get into policy management, then the following sorts of services
are needed

i) the ability to query the PDP to ask about the policy it is currently
using
ii) the ability to update/set policy in the PDP (either directly, or
indirectly by giving it a command to Refresh policy)


David
--------------9F76406F4D42C1CB119A050D
Content-Type: text/x-vcard; charset=us-ascii;
 name="d.w.chadwick.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for David Chadwick
Content-Disposition: attachment;
 filename="d.w.chadwick.vcf"

begin:vcard 
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@salford.ac.uk
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500:  http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard

--------------9F76406F4D42C1CB119A050D--
------- end of forwarded message -------

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692