[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Comments on draft-sstc-saml-spec-00
Hi Folks, I have a few comments on the current SAML spec document. Unfortunately I will not be at the FTF, but I hope some may find the following useful. First I would like to say that it is shaping up very well - a lot of progress since the last FTF. Here are my specific comments. Line 115 (static model) and Line 172 (producer consumer model): Currently the producer-consumer and static models seem to be in misalignment on attribute authority. I found the static model relationships involving attribute authority a bit confusing. I think one of the problems is that we have it issuing authorization attributes (at least as I interpret the diagram). However in the producer-consumer model we have it issuing attribute assertions. To my mind there are two possibilities call it attribute authority and have it issue attribute assertions; call it authorization authority and have it issue authorization assertions. Line 139 (Authorization Assertion) I had some difficulty aligning this definition with the core-assertion model I see evolving. It seems to have in mind some all encompassing (optionally signed) data structure containing all the attributes that a PDP would need to make a decision. I think the model implicit in the core assertion work is one of atomic assertions. The advice element (Line 572) allows for the inclusion of other assertions (or references to other assertions). However, the intent is that these assertions are supporting evidence, used in arriving at the encompassing assertion. In the general case, I cannot see what purpose it would serve to have PDPs consume a single signed data structure containing assertions signed by other authorities. It seems to me that the general case is for the PDP to check the individual assertions (which could easily be grouped together in a single message). Also I could not figure out from the static model what issues an Authorization Assertion. Note also that the current core assertion model (line 252) only defines "Authentication Assertion", "Attribute Assertion", "[Authorization] Decision Assertion". Line 146 (Policy Decision Point) I note Marlena has done a fair bit of work recently. I think it is important to capture the idea of the PDP using assertions - the current definition does not mention assertions. I propose the following alternative definition which is a lightly edited reworking of the current text. "The place where a decision is arrived at as a result of evaluating submitted assertions, the requested operation, and the requested resource in light of applicable security policy." Line 546 (Element <Object>) Using string to denote an object seems to me to be unnecessarily weak. I doesn't have a well defined semantics. Contrast with Element <subject> where I think the semantics associated with keyInfo, Role and Account are better understood. I would prefer for us to tackle what I believe is likely to be the common case and have URIs. Also I think we should give consideration to being able to specify sets of resources in a single element. Again I believe a common case will be issue assertions referencing sets of resources (e.g. in a folder). Line 556 (Element <Action> There seemed to be a cut and paste problem here (repeat of definition of Element <object>). I am more comfortable with having the semantics of this loosely defined (i.e. string). Since the semantics of the string will be defined by the object to which it is applied. If you are still reading, I hope you found some of the above useful ;-) I hope you have a successful FTF. Nigel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC