[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Consensus Draft schema and discussion papers.
Here, slightly delayed from Friday due to Visio-related problems you don't need to know about, are the drafts of the consensus schema and some discussion papers related to them. The files attached to this message should be as follows: draft-schema-assertion-10.xsd: the draft of the core assertion schema draft-schema-protocol-10.xsd: the draft of the request/response protocol schema xmldsig-core-schema.xsd: the XML_DSIG schema; this is included as a convenience for people using schema tools, as this is imported into our schema to provide the <ds:KeyInfo> element draft-sstc-core-discussion-00.doc: A word document discussing the core assertion schema and providing some example of how the various assertions would look. draft-sstc-protocol-discussion-00.doc: A word document discussing the request/response protocol and providing some examples of how the documents might look. It is my understanding the Phil will revise the formal specifications document to update it to this schema, but the discussion documents are provided to act as an informal internal explanation of the schema and it's connection to the F2F whiteboard results. Specific issues are also called out in the discussion documents. A couple of points: 0) My personal Visio issues continue, and I have not been able to prepare the diagrams that I had intended to accompany these discussion documents. I'm going to keep messing about with it and will issue diagrams in some form or another (mostly likely as a companion document) as soon as I can. 1) We don't present requirements for identifier syntax for such things as assertion IDs, version, Issuer fields, etc., but rather have left these as open issues. Naturally, however, in order to provide examples we have had to provide something; this is not intended to be normative, but rather just to allow for a complete example. For example, string representations of GUIDs have been used in the examples for Assertion IDs--this is not intended as a suggestion that the TC specify that IDs will be GUIDs, but is just in the way of an example. (For the record, my _personal_ stance on almost all the identifier questions is that the less formal rules on content form that there are the better.) 2) The schema is presented according to the October 2000 version of the schema language. At some point we should probably update it to the 2001 specification. Among other things this means that uriReferences would become "anyURI"s and "timeInstant"s would become "dateTime"s. Chris -- Chris McLaren, Principal Engineer B2B Research Group Netegrity, Inc. cmclaren@netegrity.com chris.mclaren@ieee.org
draft-sstc-protocol-discussion-00.doc
draft-sstc-core-discussion-00.doc
<?xml version="1.0" encoding="UTF-8"?> <!-- Renegade Whiteboard Schema --> <!-- Authors: Chris McLaren, Prateek Mishra, Philip Hallan-Baker, David Orchard --> <schema targetNamespace="http://www.oasis.org/tbs/1066-12-25/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsd="http://www.w3.org/2000/10/XMLSchema" xmlns:saml="http://www.oasis.org/tbs/1066-12-25/" xmlns="http://www.w3.org/2000/10/XMLSchema" elementFormDefault="unqualified"> <import namespace=" http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <annotation> <documentation>draft-schema-consensus-10.xsd</documentation> </annotation> <element name="AssertionID" type="saml:IDType"/> <simpleType name="IDType"> <restriction base="string"/> </simpleType> <simpleType name="DecisionType"> <restriction base="string"> <enumeration value="Permit"/> <enumeration value="Deny"/> <enumeration value="Indeterminate"/> </restriction> </simpleType> <element name="Assertion" type="saml:AssertionType"/> <complexType name="AssertionType" abstract="true"> <sequence> <element name="Conditions" type="saml:ConditionsType" minOccurs="0"/> <element name="Advice" type="saml:AdviceType" minOccurs="0"/> </sequence> <attribute name="Version" type="string" use="required"/> <attribute name="AssertionID" type="saml:IDType" use="required"/> <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="timeInstant" use="required"/> </complexType> <element name="AssertionSpecifier" type="saml:AssertionSpecifierType"/> <complexType name="AssertionSpecifierType"> <choice> <element ref="saml:AssertionID"/> <element ref="saml:Assertion"/> </choice> </complexType> <complexType name="SubjectAssertionType" abstract="true"> <complexContent> <extension base="saml:AssertionType"> <sequence> <element ref="saml:Subject"/> </sequence> </extension> </complexContent> </complexType> <complexType name="AuthenticationAssertionType"> <complexContent> <extension base="saml:SubjectAssertionType"> <sequence> <element ref="saml:AuthenticationCode"/> <element name="AuthenticationInstant" type="timeInstant"/> <element name="AuthLocale" type="saml:AuthLocaleType" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthenticationCode" type="saml:AuthenticationCodeType"/> <simpleType name="AuthenticationCodeType"> <restriction base="string"/> </simpleType> <complexType name="AttributeAssertionType"> <complexContent> <extension base="saml:SubjectAssertionType"> <sequence> <element ref="saml:Attribute" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <complexType name="AuthorizationDecisionAssertionType"> <complexContent> <extension base="saml:SubjectAssertionType"> <sequence> <element ref="saml:Object"/> <element name="Answer" type="saml:DecisionType"/> <element ref="saml:Evidence" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="Subject" type="saml:SubjectType"/> <complexType name="SubjectType"> <choice maxOccurs="unbounded"> <element ref="saml:NameIdentifier" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:HolderOfKey" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:AssertionSpecifier" minOccurs="0" maxOccurs="unbounded"/> </choice> </complexType> <element name="HolderOfKey" type="saml:HolderOfKeyType"/> <complexType name="HolderOfKeyType"> <sequence> <element name="Protocol" type="uriReference" maxOccurs="unbounded"/> <element name="Authdata" type="string" minOccurs="0"/> <element ref="ds:KeyInfo" minOccurs="0"/> </sequence> </complexType> <element name="NameIdentifier" type="saml:NameIdentifierType"/> <complexType name="NameIdentifierType"> <sequence> <element name="SecurityDomain" type="string"/> <element name="Name" type="string"/> </sequence> </complexType> <element name="Advice" type="saml:AdviceType"/> <complexType name="AdviceType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Conditions" type="saml:ConditionsType"/> <complexType name="ConditionsType"> <sequence> <element name="Condition" type="saml:AbstractConditionType" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="NotBefore" type="timeInstant" use="optional"/> <attribute name="NotOnOrAfter" type="timeInstant" use="optional"/> </complexType> <complexType name="AbstractConditionType" abstract="true"/> <element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/> <complexType name="AudienceRestrictionConditionType"> <complexContent> <extension base="saml:AbstractConditionType"> <sequence> <element name="Audience" type="xsd:uriReference" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <complexType name="AuthLocaleType"> <sequence> <element name="IP" type="string" minOccurs="0"/> <element name="DNS_Domain" type="string" minOccurs="0"/> </sequence> </complexType> <complexType name="AttributeValueType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element name="AttributeName" type="string"/> <element name="AttributeNamespace" type="uriReference" minOccurs="0"/> <element name="AttributeValue" type="saml:AttributeValueType" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Evidence" type="saml:AssertionSpecifierType"/> <element name="Object" type="saml:ObjectType"/> <complexType name="ObjectType"> <sequence> <element name="Resource" type="xsd:uriReference"/> <element name="Namespace" type="uriReference" minOccurs="0"/> <element name="Action" type="string" maxOccurs="unbounded"/> </sequence> </complexType> </schema>
<?xml version="1.0" encoding="UTF-8"?> <!-- Renegade Whiteboard Schema --> <!-- Authors: Chris McLaren, Prateek Mishra, Philip Hallan-Baker, David Orchard --> <xsd:schema targetNamespace="http://www.oasis.org/tbs/1066-12-25/protocol/" xmlns="http://www.w3.org/2000/10/XMLSchema" xmlns:samlp="http://www.oasis.org/tbs/1066-12-25/protocol/" xmlns:saml="http://www.oasis.org/tbs/1066-12-25/" xmlns:xsd="http://www.w3.org/2000/10/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="unqualified"> <xsd:import namespace="http://www.oasis.org/tbs/1066-12-25/" schemaLocation="draft-schema-assertion-10.xsd"/> <xsd:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <xsd:annotation> <xsd:documentation>draft-schema-protocol-10.xsd</xsd:documentation> </xsd:annotation> <xsd:complexType name="SAMLAbstractRequestType" abstract="true"> <xsd:attribute name="RequestID" type="saml:IDType" use="required"/> <xsd:attribute name="Version" type="string" use="required"/> </xsd:complexType> <xsd:element name="SAMLRequest" type="samlp:SAMLRequestType"/> <xsd:complexType name="SAMLRequestType"> <xsd:complexContent> <xsd:extension base="samlp:SAMLAbstractRequestType"> <xsd:choice> <xsd:element name="Query" type="samlp:SAMLQueryType"/> <xsd:element ref="saml:AssertionID" maxOccurs="unbounded"/> </xsd:choice> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:element name="SAMLResponse" type="samlp:SAMLResponseType"/> <xsd:complexType name="SAMLAbstractResponseType" abstract="true"> <xsd:attribute name="ResponseID" type="saml:IDType" use="required"/> <xsd:attribute name="InResponseTo" type="saml:IDType" use="required"/> <xsd:attribute name="Version" type="string" use="required"/> </xsd:complexType> <xsd:complexType name="SAMLResponseType"> <xsd:complexContent> <xsd:extension base="samlp:SAMLAbstractResponseType"> <xsd:sequence> <xsd:element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="StatusCode" type="samlp:StatusCodeType" use="required"/> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="SAMLQueryType" abstract="true"/> <xsd:complexType name="SubjectQueryType" abstract="true"> <xsd:complexContent> <xsd:extension base="samlp:SAMLQueryType"> <xsd:sequence> <xsd:element ref="saml:Subject"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="AuthenticationQueryType"> <xsd:complexContent> <xsd:extension base="samlp:SubjectQueryType"> <xsd:sequence> <xsd:element ref="saml:AuthenticationCode" minOccurs="0"/> <!--do we want more than one of these?--> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="AttributeQueryType"> <xsd:complexContent> <xsd:extension base="samlp:SubjectQueryType"> <xsd:sequence> <xsd:element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="CompletenessSpecifier" type="samlp:CompletenessSpecifierType" default="All"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:element name="AuthorizationQuery" type="samlp:AuthorizationQueryType"/> <xsd:complexType name="AuthorizationQueryType"> <xsd:complexContent> <xsd:extension base="samlp:SubjectQueryType"> <xsd:sequence> <xsd:element ref="saml:Evidence" minOccurs="0" maxOccurs="unbounded"/> <xsd:element ref="saml:Object"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:simpleType name="CompletenessSpecifierType"> <xsd:restriction base="string"> <xsd:enumeration value="Any"/> <xsd:enumeration value="All"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="StatusCodeType"> <xsd:restriction base="string"> <xsd:enumeration value="Success"/> <xsd:enumeration value="Failure"/> <xsd:enumeration value="Error"/> <xsd:enumeration value="Unknown"/> </xsd:restriction> </xsd:simpleType> </xsd:schema>
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2000/10/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="http://www.w3.org/2000/09/xmldsig#"
version="0.1"
elementFormDefault="qualified">
<!-- Basic Types Defined for Signatures -->
<simpleType name="CryptoBinary">
<restriction base="binary">
<encoding value="base64"/>
</restriction>
</simpleType>
<!-- Start Signature -->
<element name="Signature">
<complexType>
<sequence>
<element ref="ds:SignedInfo"/>
<element ref="ds:SignatureValue"/>
<element ref="ds:KeyInfo" minOccurs="0"/>
<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<!-- Start SignedInfo -->
<element name="SignedInfo">
<complexType>
<sequence>
<element ref="ds:CanonicalizationMethod"/>
<element ref="ds:SignatureMethod"/>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<element name="CanonicalizationMethod">
<complexType>
<sequence>
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Algorithm" type="uriReference" use="required"/>
</complexType>
</element>
<element name="SignatureMethod">
<complexType>
<sequence>
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Algorithm" type="uriReference" use="required"/>
</complexType>
</element>
<element name="SignatureValue" type="ds:CryptoBinary"/>
<!-- Start Reference -->
<element name="Reference">
<complexType>
<sequence>
<element ref="ds:Transforms" minOccurs="0"/>
<element ref="ds:DigestMethod"/>
<element ref="ds:DigestValue"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="URI" type="uriReference" use="optional"/>
<attribute name="Type" type="uriReference" use="optional"/>
</complexType>
</element>
<element name="Transforms">
<complexType>
<sequence>
<element ref="ds:Transform" maxOccurs="unbounded"/>
</sequence>
</complexType>
</element>
<element name="Transform">
<complexType>
<choice maxOccurs="unbounded">
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<element name="XSLT" type="string"/>
<!-- should be an xsl:stylesheet element -->
<element name="XPath" type="string"/>
</choice>
<attribute name="Algorithm" type="uriReference" use="required"/>
</complexType>
</element>
<!-- End Reference -->
<element name="DigestMethod">
<complexType>
<sequence>
<any processContents="lax" minOccurs="0" maxOccurs="unbounded" namespace="##any"/>
</sequence>
<attribute name="Algorithm" type="uriReference" use="required"/>
</complexType>
</element>
<element name="DigestValue" type="ds:CryptoBinary"/>
<!-- End SignedInfo -->
<!-- Start KeyInfo -->
<element name="KeyInfo">
<complexType>
<choice maxOccurs="unbounded">
<any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
<element name="KeyName" type="string"/>
<element ref="ds:KeyValue"/>
<element ref="ds:RetrievalMethod"/>
<element ref="ds:X509Data"/>
<element ref="ds:PGPData"/>
<element ref="ds:SPKIData"/>
<element name="MgmtData" type="string"/>
</choice>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<element name="KeyValue">
<complexType mixed="true">
<choice>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<element ref="ds:DSAKeyValue"/>
<element ref="ds:RSAKeyValue"/>
</choice>
</complexType>
</element>
<element name="RetrievalMethod">
<complexType>
<sequence>
<element ref="ds:Transforms" minOccurs="0"/>
</sequence>
<attribute name="URI" type="uriReference"/>
<attribute name="Type" type="uriReference" use="optional"/>
</complexType>
</element>
<!-- Start X509Data -->
<element name="X509Data">
<complexType>
<choice>
<sequence maxOccurs="unbounded">
<choice>
<element ref="ds:X509IssuerSerial"/>
<element name="X509SKI" type="ds:CryptoBinary"/>
<element name="X509SubjectName" type="string"/>
<element name="X509Certificate" type="ds:CryptoBinary"/>
</choice>
</sequence>
<element name="X509CRL" type="ds:CryptoBinary"/>
</choice>
</complexType>
</element>
<element name="X509IssuerSerial">
<complexType>
<sequence>
<element name="X509IssuerName" type="string"/>
<element name="X509SerialNumber" type="integer"/>
</sequence>
</complexType>
</element>
<!-- End X509Data -->
<!-- Begin PGPData -->
<element name="PGPData">
<complexType>
<choice>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<sequence>
<element name="PGPKeyID" type="string"/>
<element name="PGPKeyPacket" type="ds:CryptoBinary"/>
</sequence>
</choice>
</complexType>
</element>
<!-- End PGPData -->
<!-- Begin SPKIData -->
<element name="SPKIData" type="string"/>
<!-- End SPKIData -->
<!-- End KeyInfo -->
<!-- Start Object (Manifest, SignatureProperty) -->
<element name="Object">
<complexType mixed="true">
<sequence maxOccurs="unbounded">
<any namespace="##any" processContents="lax"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
<attribute name="Encoding" type="uriReference" use="optional"/>
</complexType>
</element>
<element name="Manifest">
<complexType>
<sequence>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<element name="SignatureProperties">
<complexType>
<sequence>
<element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<element name="SignatureProperty">
<complexType mixed="true">
<choice minOccurs="0" maxOccurs="unbounded">
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</choice>
<attribute name="Target" type="uriReference" use="required"/>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
</element>
<!-- End Object (Manifest, SignatureProperty) -->
<!-- Start Algorithm Parameters -->
<element name="HMACOutputLength" type="integer"/>
<!-- Start KeyValue Element-types -->
<element name="DSAKeyValue">
<complexType>
<sequence>
<sequence>
<element name="P" type="ds:CryptoBinary"/>
<element name="Q" type="ds:CryptoBinary"/>
<element name="G" type="ds:CryptoBinary"/>
<element name="Y" type="ds:CryptoBinary"/>
<element name="J" type="ds:CryptoBinary" minOccurs="0"/>
</sequence>
<sequence minOccurs="0">
<element name="Seed" type="ds:CryptoBinary"/>
<element name="PgenCounter" type="ds:CryptoBinary"/>
</sequence>
</sequence>
</complexType>
</element>
<element name="RSAKeyValue">
<complexType>
<sequence>
<element name="Modulus" type="ds:CryptoBinary"/>
<element name="Exponent" type="ds:CryptoBinary"/>
</sequence>
</complexType>
</element>
<!-- End KeyValue Element-types -->
<!-- End Signature -->
</schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC