OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Request for clarification


I believe Philip has already responded to your note,
but here are my opinions as well.


>>1) Is saml:evidence different from saml:advice? Already 
>>xtass:evidence 
>>   shares identical wording with saml:advice, including the missing \)

I have no idea why you are dragging XTASS in here. SAML evidence and
advice are completely different notions. Advice carries entirely
optional and open-ended data as part of an assertion; evidence is
defined as a sequence of assertions contained with two elements:

	AuthorizationQuery
     AzDecisionAssertion.


>>2) Since an AuthorizationDecisionAssertion is "made subject to the 
>>   assertions in the Evidence element"
>>   a) Does the AuthorizationDecisionAssertion certify the textually
>>      enclosed saml:evidence as valid "jointly and severally", as 
>>      defined by the Element <Claims>?  If so, what is the purpose 
>>      of carrying the evidence, and is the evidence unique or 
>>complete?

The purpose of evidence is the following: I need to decide
whether user Alice should have access to resource R; it turns
out user Alice has several assertions E that she can reasonably
claim to belong to her. I can now submit the evidence E
to the PDP together with the questions "Can Alice access R?".
The AzDecision assertion returned by the PDP must carry
all of the assertions submitted as evidence, as these condition
its judgement.


>>   b) What, if any, are the consistency requirements between multiple
>>      saml:evidence elements within an AuthorizationDecisionAssertion?

NONE.

>>3) Is saml:evidence local to the saml:AuthenticationDecisionAssertion 
>>   that textually encloses it?  

Yes.

>>4) What properties describe the saml:evidence available in a 
>>SAMLResponse
>>   to a SAML protocol AuthorizationQuery, and how does this 
>>depend on the
>>   evidence provided in the query? 


Evidence in response MUST be identical to evidence in query.

>>//Michah
>>
>>
>>
>>>>


- prateek


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC