OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)


I think what we are all talking about is some machinery in the core schema
that can be used as needed by different bindings. 

The question is whether to open a new issue or simply add some text to the
current one. I don't want to have a lot of open issues on the same subject,
but I also don't want to "lose" the issue by inappropriately combining it
with a different one.

I think we need an XMLdsig profile as well, but we need to specify some use
of SubjectConfirmation that enables this in the SAML schema.

Hal

> -----Original Message-----
> From: Daniel Ash [mailto:Daniel.Ash@identrus.com]
> Sent: Thursday, August 23, 2001 4:24 PM
> To: 'Tim Moses'; 'OASIS Security Services group'
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)
> 
> 
> I agree that a SOAP and/or SMIME profile should indicate the 
> use of signatures for subject authentication, however, what 
> about other bindings?  I actually favor the approach where an 
> XMLSIG profile of XML-Protocol indicate this functionality 
> (as part of XML-P) so that any application and/or protocol 
> bound to XML-P doesn't have to worry about it.  Though, in 
> the short term, if many implementors plan to bind directly to 
> HTTP then it might make sense to go with Tim's original suggestion.
>  
> -dan      
> -----Original Message-----
> From: Tim Moses [mailto:tim.moses@entrust.com]
> Sent: Thursday, August 23, 2001 3:49 PM
> To: 'OASIS Security Services group'
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc)
> 
> 
> Hal - Perhaps you are right.  I originally thought this was a 
> different issue (one solved by allowing the Subject element 
> to he a digest of a "document", so that the assertion could 
> be "about" the data, rather than about a person).  But, on 
> rereading, the mention of SOAP and S/MIME seems to suggest a 
> "store-and-Forward" communications model, with origin 
> authentication based on the signer's signature over the data.
> Can we conclude that Phill has the mandate to include the 
> text proposed in my contribution ... 
> http://lists.oasis-open.org/archives/security-services/200108/
> msg00041.html 
> Or can we only append the text from the contribution to the 
> description of the issue? 
> Best regards.  Tim. 
> 
> 
> -----Original Message----- 
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] 
> Sent: Thursday, August 23, 2001 3:06 PM 
> To: 'Tim Moses'; 'OASIS Security Services group' 
> Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc) 
> 
> 
> Sorry to change my story, but I just noticed: 
> ISSUE:[DS-10-01: AttachPayload] 
> There is a requirement for assertions to support some 
> structure to support 
> their "secure attachment" to payloads. This is a blocking 
> factor to creating 
> a SOAP profile or a MIME profile. If needed, the bindings 
> group can make a 
> design proposal in this space but we would like input from 
> the broader 
> group. 
> Status: Open 
> Is this the same issue? Can we just add some text to it to 
> include your 
> proposal? 
> Hal 
> > -----Original Message----- 
> > From: Tim Moses [mailto:tim.moses@entrust.com] 
> > Sent: Thursday, August 23, 2001 2:09 PM 
> > To: 'OASIS Security Services group' 
> > Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc) 
> > 
> > 
> > Hal - The only written response to my contribution on this 
> > topic was from Dan Ash (and that was supportive).  I did 
> > speak with Phill about it, and (I think) he felt he needed 
> > the group's explicit instruction to include it.  I have 
> > suggested text on the topic for the SubjectConfirmation 
> > section, but that text was not included in Core 15.  I am 
> > trying to figure out how best to get the "group" to instruct 
> > Phill to include it in the next draft.  Best regards.  Tim. 
> > -----Original Message----- 
> > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] 
> > Sent: Thursday, August 23, 2001 2:02 PM 
> > To: 'Tim Moses'; 'OASIS Security Services group' 
> > Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc) 
> > 
> > 
> > Sorry, I just missed it. I will add it. 
> >  
> > After doing a little research I am confused. At first I 
> > thought, we have a usecase for some kind of document exchange 
> > in a store and forward environment that would mandate this. I 
> > can't find one in draft-sstc-saml-reqs-01. The only thing I 
> > found is a requirement for an ebXML binding, which I suspect 
> > will require this, although I am not that familiar with 
> > ebXML. I also cannot find open of closed issues on this kind 
> > of a use case. Can anyone help me out? Does anyone from the 
> > usecase group remember if store and forward transactions are 
> > supposed to be in or out? 
> >  
> > Assume the answer is "in", is this issue controversial? 
> > Personally I thought this was one of the intended uses of 
> > SubjectConfirmation. (I am having trouble following the 
> > discussion thread, because this was originaly one point among 
> > many in your comments.) Have there been any arguments against it? 
> >  
> > Hal 
> > -----Original Message----- 
> > From: Tim Moses [mailto:tim.moses@entrust.com] 
> > Sent: Wednesday, August 22, 2001 4:21 PM 
> > To: 'OASIS Security Services group' 
> > Subject: RE: Updated Issues List (draft-sstc-saml-issues-06.doc) 
> > 
> > 
> > Hal - I do have one issue that I would like to raise.  I 
> > could offer to "champion" it, if it is appropriate. 
> > There is a need for a subject confirmation method based on a 
> > signature over a document.  Carlisle has dubbed this 
> > "unaccompanied data".  Also, see Dan Ash's posting on the topic ... 
> > http://lists.oasis-open.org/archives/security-services/200108/ 
> msg00029.html 
> Should this method be added to section 4 of Core 15? 
> All the best.  Tim. 
> -----Original Message----- 
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] 
> Sent: Wednesday, August 22, 2001 10:51 AM 
> To: 'security-services@lists.oasis-open.org'; 
> 'security-editors@lists.oasis-open.org' 
> Subject: Updated Issues List (draft-sstc-saml-issues-06.doc) 
> 
> 
> The issues list has been updated to reflect recent 
> discussions on the list. 
> Some arbitrary decisions were made about what are issues and 
> what are merely 
> editorial comments. Please let me know if I have missed your issue. 
> The issue status report has been delayed but will be issued soon. 
> Hal 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC