From: Colin.Wallis@ssc.govt.nz
[mailto:Colin.Wallis@ssc.govt.nz]
Sent: 02 July 2008 07:12
To: Giles Hogben;
paul.spencer@boynings.co.uk; egov-ms@lists.oasis-open.org
Cc: Konstantinos Moulinos
Subject: RE: [egov-ms]
Groups - eGov Work Plan 2008-9
(eGMSWorkPlan2008-9.doc) uploaded
Hi Giles
Comments inline
Cheers
Colin
1.
Does the SAML
comparison you mention refer to implementations of SAML Authentication Context
(i.e. Authentication Policy mappings) or just SAML assertion tokens.
<<CW: AuthnContext. It got published to the OASIS SSTC
overnight>>
http://www.oasis-open.org/committees/document.php?document_id=28706&wg_abbrev=security
2.
Are you suggesting
that it wouldn’t make sense to start yet another initiative within the
OASIS eGov group, or does this suggest that some
global level standardization work would actually be a good thing wrt these diverse initiatives.
<<CW: the eGov Member Section isa Technical Committee. But
we are in a perfect position to overview standards being discussed in other
TC's, bring them use cases, comments etc. Regarding global
standardisation, that initiative has already started really (per (1)
above). If interop and federation are the objectives in a pan
-government context, we should strive for convergence (easiest to
implement), and if not, interop and mapping (less
easy..)>>.
My
feeling is that what needs to be standardized is :
1.
the way of binding
SAML assertions to Authentication Levels – and then people will point to
whichever policy they feel most comfortable with. I.e. a de facto standard may
emerge.
<<CW: If I understand your comment correctly, I'd say that
the de facto standard already exists in NIST 800-63 that does this, and is nowdeployed globally>>.
**This is true to a certain extent, but in Europe, it is
certainly not true. We have a plethora of different models, as you can see in
the IDABC country reports (on the page I sent earlier).
2.
However, a
well-structured, human readable model of authentication mechanisms which can be
mapped to NIST, EU (IDABC), NZ etc... models might also be useful. SAML
Authentication Context doesn’t fulfil that role at the moment because
it’s only defined by an XML schema with no human-readable content at all.
<<CW: Hmm,I accept your point about the
modelling, but XML is human readable isn't it? OK, OK, not everyone's
favourite read, but look at this excerpt from NZ's own authentication messaging
spec (the GLS stands for the Government Logon Service).
**
1. Even as XML, Authentication-Context
is not a well defined standard. There is NO documentation for any of the
elements in the schema other than what you can find inside the actual XSD
definition. Even that is not very complete.
2. Even if there were documentation, a
standardised model is useful at the level of human-readable policy – so an
XML, machine-readable standard is not the right place for it. I don’t say
that it wouldn’t be relatively easy to translate it into a human readable
policy language.
3. The SAML AC model is not able to express
many aspects at least of the models we find in Europe (e.g. use of qualified
signatures) – except by extension (i.e. it doesn’t define all the
required semantics)
Element
<RequestedAuthnContext >
This element must be
present to specify the authentication type required. It will also have impact on the
authentication context of the resulting authentication statements in the
response.
|
Attribute /
Element
|
SAML2.0
Requirement
|
GLS Requirement
|
|
AuthnContextClassRef
|
Either AuthnContextClassRef or
AuthnContextDeclRef MUST be provided.
|
MUST be provided. The URI reference must be of the
specified set below.
|
|
AuthnContextDeclRef
|
Either AuthnContextClassRef or
AuthnContextDeclRef MUST be provided.
|
MUST NOT be provided.
|
|
Comparison
|
MAY be provided.
Specifies the comparison method used to
evaluate the requested context classes or statements, one of
"exact", "minimum", "maximum", or
"better". The default is "exact".
|
MAY be provided to specify how the
AuthnContextClassRef evaluates.
If not provided then it SHALL be defaulted
to ‘minimum’ such that the resulting authentication context in
the authentication statement SHALL be at least as strong (as deemed by the
responder) as one of the authentication contexts specified.
|
The supported set of AuthnContextClassRef values will be:
|
AuthnContextClassRef
|
Responder Deemed
Authentication Strength (in NZ SAML 1x implementation)
|
|
urn:nz:govt:authn:names:SAML:2.0:ac:classes:LowStrength
|
10
|
|
urn:nz:govt:authn:names:SAML:2.0:ac:classes:ModStrength
|
20
|
1.3
Sample
Request
The following is a sample
URL that contains a SAML request containing an AuthnRequest sent over the
HTTP-Redirect Binding.
The following is a sample
AuthnRequest that is decoded from the binding:
|
<samlp:AuthnRequest
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
Destination="https://www.logon.govt.nz/sso/SSO"
ID="e9cfc575da6c63fef46ae2f399022003"
IssueInstant="2007-08-08T21:16:38Z"
ProviderName="Sample Service
Provider"
Version="2.0">
<saml:Issuer>
https://www.sample-sp.govt.nz/realm/samlapp1
</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
</samlp:NameIDPolicy>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>
urn:nz:govt:authn:names:SAML:2.0:ac:classes:ModStrength
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
|
2.
The SAML Response
This process defines the
SAML2.0 messaging for the response.
The response will complete the SAML transaction by the IdP sending a
message to the SP that provides statements about the user’s logon.
A sample message is as follows: <snipped>
|
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:nz:govt:authn:names:SAML:2.0:ac:classes:ModStrength
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
</samlp:ArtifactResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
|
From: Colin.Wallis@ssc.govt.nz
[mailto:Colin.Wallis@ssc.govt.nz]
Sent: 01 July 2008 11:06
To: paul.spencer@boynings.co.uk;
Giles Hogben; egov-ms@lists.oasis-open.org
Subject: RE: [egov-ms]
Groups - eGov Work Plan 2008-9
(eGMSWorkPlan2008-9.doc) uploaded
Greetings again both!
NZ already has uses a human readable credential strength
(nil/negligible, low, moderate, high) that maps to the NIST levels 1-4.
And very soon (like a week or so) you will see a draft profile
appear in the SSTC from Eric Tiffany, Liberty Alliance including this.
Cheers
Colin
PS: Giles, the eGov SIG in Liberty is working on an eGov profile
that shows all the similarities and differences with the respective
implementations of SAML around governments - starting with the US, Denmark and
NZ, as they were the only 3 willing players to start with. It's a pretty
useful piece of work! I tried John Steinen several times but no luck...
--
Colin Wallis
Programme Manager, Authentication
Standards
State Services Commission
DDI: +64 4 495 6758
Mob: 027 244 7135
Fax: +64 4 495 6669
Colin.Wallis@ssc.govt.nz
www.ssc.govt.nz
| www.e.govt.nz | newzealand.govt.nz
New Zealand's State Services Commission:
Leading the state sector to world class performance
...........................................................................................................................................
Caution: If you have received this message in
error please notify the sender immediately and then delete this message along
with any attachments. Please treat the contents of this message as
private and confidential.
From: Paul Spencer
[mailto:paul.spencer@boynings.co.uk]
Sent: Tuesday, 1 July 2008 7:22
p.m.
To: Giles Hogben;
egov-ms@lists.oasis-open.org
Subject: RE: [egov-ms] Groups -
eGov Work Plan 2008-9 (eGMSWorkPlan2008-9.doc) uploaded
Yes, this is in the scope of the work I will be doing, and the area
I know least about. If it is a work in progress, I can wait a couple of months
before looking at it properly. But if there is something I could see to get an
overview, that would be useful.
-----Original Message-----
From: Giles Hogben
[mailto:Giles.Hogben@enisa.europa.eu]
Sent: 01 July 2008 07:23
To: Colin.Wallis@ssc.govt.nz;
johnaborras@yahoo.co.uk; paul.spencer@boynings.co.uk;
egov-ms@lists.oasis-open.org
Subject: RE: [egov-ms] Groups -
eGov Work Plan 2008-9 (eGMSWorkPlan2008-9.doc) uploaded
Hi
All,
I can
help you with information about the eID interop specs. In fact, we at ENISA (European Network and
Information Security Agency) have been working on a model of the Authentication
part of this specification using Oasis SAML. As a result of this, we have some
ideas for work which could be done within the eGov
group in standardising a set of human-readable authentication policies
(strength levels). Would this be of interest?
If
you’ve not seen the documents, for the IDABC work, they are here: http://ec.europa.eu/idabc/en/document/6484/5644
Regards,
Giles
Giles Hogben
Network Security Policy
Expert
European Network &
Information Security Agency (ENISA)
From:
Colin.Wallis@ssc.govt.nz [mailto:Colin.Wallis@ssc.govt.nz]
Sent: 01 July 2008 01:29
To: johnaborras@yahoo.co.uk;
paul.spencer@boynings.co.uk; egov-ms@lists.oasis-open.org
Subject: RE: [egov-ms]
Groups - eGov Work Plan 2008-9
(eGMSWorkPlan2008-9.doc) uploaded
Paul
Thanks for thinking of us downunder!
(Useful links too John, thanks! I cant
seem to get any response from John Seimen on the
Common Specs for eID interoperability so if you have
any influence there I'd most appreciate it)
I'm not directly involved with the NZ e-GIF these days although the
group of Authentication standards I work on are e-GIF standards.
It has been ticking along but the challenges remain of
keeping it updated and relevant, developing a registry/repository of any local
profiling of schema fragments, namespaces etc, and governance.
As far as Australia is concerned see here:
http://www.finance.gov.au/agimo/index.html
They have
a e-gov link.
Also look
at www.govdex.gov.au
The
Australian States are worth a look too - Victoria, Queensland etc.
Cheers
Colin
PS: I leave for Europe on Friday: next week in Stockholm for the
Liberty Alliance, but I do have some time on Friday 11th July in the
afternoon in/around London if you wnated to catch up?
Global roaming mobile is +64 27 2225169.
New Zealand's State Services Commission:
Leading the state sector to world class performance
...........................................................................................................................................
Caution: If you have received this message in
error please notify the sender immediately and then delete this message along
with any attachments. Please treat the contents of this message as
private and confidential.
From: John Borras
[mailto:johnaborras@yahoo.co.uk]
Sent: Saturday, 28 June 2008 4:10
a.m.
To: Paul Spencer;
egov-ms@lists.oasis-open.org
Subject: Re: [egov-ms]
Groups - eGov Work Plan 2008-9
(eGMSWorkPlan2008-9.doc) uploaded
In answer to your question I
can give you the UK situation but you know that already. However what may
be of more importance is what the EU's CAMMS project comes up with. Have
a look at the project details at http://ec.europa.eu/idabc/en/document/7407 .
This may change some current practices so one to watch for the future.
You might also watch for the
publication of the draft of the EU's EIF v2 next week on the IDABC
site. That may impact/change some current eGIFs
Regards
John
M. +44 (0)7976 157745
Skype: gov3john
----- Original Message ----
From: Paul Spencer <paul.spencer@boynings.co.uk>
To: egov-ms@lists.oasis-open.org
Sent: Friday, 27 June, 2008 4:54:12 PM
Subject: RE: [egov-ms] Groups - eGov
Work Plan 2008-9 (eGMSWorkPlan2008-9.doc) uploaded
Hi all,
I am being commissioned to do some work that fits in exactly with Goal 1 in the
work plan. This is to review interoperability frameworks world-wide, and
produce a framework for a specific developing nation. I should probably wait
for contracts to be in place before naming the country. I would also like to
publish the result of the review through this member section, but that will
again depend on the terms of the contract.
I am very familiar with the UK e-GIF and the current work on the
Cross-Government Enterprise Architecture. I have also looked at the NZ version.
I would be very interested to be pointed at other frameworks that people think
worth reading. We all know that Governments only publish the good news, so I
would also value "warts and all" opinions of them since the views of
people who have used them are the most valuable. In the light of experience, what
would you do differently if you were doing it again? I can put opinions in
anonymously if preferred and people are very welcome to see what I write before
I publish. Even opinions that you do not want me to publish at all are helpful
in avoiding re-inventing the square wheel[1].
Once I am a bit further down the road, I will ask some questions that might
stimulate some discussion and make this list more active. In fact here is one
to start: to what extent are the standards that are mandated by Governments
driven by best practice, and to what extent by vested interests?
All input welcome, either via the list or direct email.
[1] Those in the UK will know that Austin got there first with the Allegro,
which had a "quartic" (square to you and
me) steering wheel.
Regards
Paul Spencer
Director
Boynings Consulting Ltd
t: +44 845 2292205
m: +44 7957 578843
f: +44 845 2292206
http://boynings.co.uk
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
Not happy with your email
address?
Get the one you really want
- millions of new email addresses available now at Yahoo!