OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Substitution Groups Reconsidered

At 11:00 AM 9/17/01 -0700, Hallam-Baker, Phillip wrote:
>The article appears to me to be saying 'here's why not to bother learning
>about these things, you can get along without them'.
>However the choice mechanism does not permit the declaration of new
>assertion types as first class extensions of SAML and is thus unacceptable.

Neither do substitution groups.  They just allow the declaration of new 
*elements* as optional choices instead of the head element.

>Since we have gone over this at length at the F2F it is disappointing that
>the matter is being re-opened. Other groups who want to build on top of SAML
>(XACML) are already working on the assumption that SAML will permit
>extension to meet their needs. The idea that SAML should be arbirarily
>restricted to a particular problem domain, both in version 1 and in all
>future versions is not supported by any use case or requirement and indeed
>is directly against the original principles the group agreed upon.

What I said about "block" has nothing to do with other people who are using 
SAML and extending it for their own purposes.  They can, at any time, 
"substitute" a type of their own for an ancestor SAML type, using 
xsi:type.  (I haven't looked closely at your experimental extension 
schemas, but I bet they use xsi:type for their extensions and thus wouldn't 
be bothered at all by what I'm suggesting.)

What I thought we agreed to was that extension schemas wouldn't be allowed 
to substitute an *element* of their own; they would be forced to use 
xsi:type instead, which would connect every extension semantic back to a 
native SAML element semantic, like this:

   <MyAttributeAssertion xsi:type="saml:AttributeAssertionType">...</>

Currently, and in every previous version, both have been implicitly allowed 
(though we never talked about the second case):

   <MyAttributeAssertion xsi:type="saml:AttributeAssertionType">...</>

The question we're discussing is whether to disallow substitution groups in 
extension schemas with "block" -- NOT whether to disallow extension of 
types with "final" -- so that we force all extended forms of SAML to use 
our native elements on the principle of greater partial understanding.

Obviously there is still considerable confusion over these methods, despite 
the lengthy discussion we had in Waltham.  If we discover that our F2F #4 
agreements don't mean what we thought they meant, it seems to me that 
(unfortunately) we have no choice but to go through the logic again.

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC