OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: XACML scope w.r.t. SAML

Title: In the interest of facilitating the merger of XACML a pre-TC effort into the SAML TC at a future date or the ongoing interoper

Ernesto certainly got my point.

 

There is some confusion within SAML itself regarding AuthZ and AuthN. AuthZ is one area of clear overlap. However, the information contained in AuthN, i.e. authentication events and protocols, could be quite relevant to establishing policy, e.g. allow access if the protocol was X9.9. One would hope that the representation of such data would be similar, even if the information is communicated in separate containers.

 

Perhaps someone from security-services could clarify.

 

Simon Y. Blackwell

CTO

Psoom, Inc.

Voice & Fax: 415-762-9787

 

-----Original Message-----
From: ernesto damiani [mailto:edamiani@crema.unimi.it]
Sent: Thursday, March 01, 2001 10:15 AM
To: Simon Y. Blackwell; 'Xacml-Discuss (E-mail)
Subject: XACML scope w.r.t. SAML

 

I believe some interesting observations can be made starting from this excerpt of Simon's last message:

 

"Allow <subject> to <verb> <object> only if they

logged in using an X9.9 Challenge-Response."

 

[sblackwell] LARGE PORTION OF MESSAGE DELETED FOR BREVITY

 

[R-AuthN] SAML should define a data format for authentication assertions, including descriptions of authentication events. This includes time of authentication event and authentication protocol.

 

[R-AuthZ] SAML should define a data format for authorization attributes. Authorization attributes ("authz attributes") are attributes of a principal that are used to make authorization decisions, e.g. an identifier, group or role membership, or other user profile information.

 

I believe that the second requisite is aimed at prescribing how to represent <subject>, so there is a strong overlapping here. am I right?

As for the first requirement, honestly I am not sure I fully understand it. Are "description of authentication events" prescriptions about authentication algorithms, as in the "only if" part of our initial example?

If this is the case, this is outside our scope and could be dealt with in a separate namespace.

I am inclined to think that separate namespaces should be defined for the XML-AC language itself (Allow <subject> to <verb> <object> ) and for the prescription of authentication techniques and the like. But perhaps I got the second requirement wrong..

 

Best regards

 

Ernesto

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC