OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: diff of Orchard-Maler assertion 001 and Core Assertions .09

I went through and did most of an element by element diff of the two
approaches.  I certainly see major convergence.  I'm extremely pleased to
see the use of an abstract claim type in PHBs model, this was a major
objection of my to 0.7.  However, I still believe that more stringent
cardinalities should be specified.  I like the use of extended attributes,
but I do think that a different schema extension mechanism should be used.
The use of strongly typed queries is potentially interesting.  I certainly
like the idea of them being instances of XQueries

I think the summary of the differences are:
1) different placement of version, issuer, issueinstant in hierarchy
2) OM model uses a subjectAssertionType to consolidate 3 of the 4 assertion
3) PHB model uses strongly typed requests
4) use of term Claim versus Assertion.  
5) PHB allows for an attribute string, whereas OM does not
6) OM model of extension allows for non-SAML namespaced items, whereas PHB
requires a subtype.  AttributeClaim, Permissions, 
7) Query structures, we'll see from the examples the need for general or
typed queries.
8) PHB has 1 layer deep authorization structure, to associate Resources with
Permissions.  OM flattened this.  Our logic is that if there are many
different resources to associate with a permission, it's a simple matter to
replication the authorizationAssertion.  OM optimized for the simple case,
where a subject has a permission for a resource, whereas PHB optimized for
many resources per subject.
9) OM allows an input AssertionsPackage
10) OM has more stringent cardinalities, such as exactly 1 subject in
SubjectAssertionTypes, 1 resource and 1 permission in authorization
assertion, whereas PHB leaves these from 0 to unbounded.  This is related to
11) Different diagram styles.
12) Different documentation styles:
12a) OM contains Design guidelines section
12b) OM gives complete examples and schema at end, PHB intermixes schema
fragments in doc
12c) OM gives an explicit rationale section for each element
12d) OM lists issues for many elements, PHB lists no issues for any elements
13) OM lists sample requests for illustration purposes.

The details are


o OM has Version 
o OM has SubjectAssertionPackage
o PHB has Respond

Query structures:
o OM uses XQuery structure
o PHB has strongly typed Subject/Authentication/Authorization/Attribute

o OM has Version

o PHB has Version
o PHB has issuer, issueinstant.  

o OM has Version
o OM has AssertionID
o OM has issuer, issueinsant.
o PHB has AssertionRef

- no real difference!

o PHB has Attribute, OM allows any extension

- no real difference!

o OM has Resource, Permission.  PHB has Authorization which has
o OM has minOccurs of 1 on resource, permission

- I didn't go into detail, I'm not to concerned about this right now.

Dave Orchard
XML Architect
Jamcracker Inc.,    19000 Homestead Dr., Cupertino, CA 95014
p: 408.864.5118     m: 604.908.8425    f: 408.725.4310

www.jamcracker.com - Sounds like a job for Jamcracker.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC