OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] Presumptuous comments on SAML core-19 draft


I have a bunch of editorial comments on the core-19 draft.  As I started 
working on the Section 1 intro and Section 1.1, I found that the easiest 
thing was to actually work on the .doc file directly; the comments are 
fairly invasive (though hopefully they're technically neutral) and it would 
be a waste of time to try to write out all the suggestions separately.

I have attached a .doc file that contains just my reworked version of the 
beginning of core-19, and below I've also supplied a text version (produced 
by saving Word as .txt with line breaks and doing a little tweaking) just 
to make it easier for people to read.

Phill, if you're amenable to these suggestions, perhaps we could coordinate 
on more such excursions over the next week or two.  I'm also happy to do 
things like making the use of Word styles more consistent, etc.

	Eve

			*		*		*

1 	SAML Concepts

[WE NEED A WHOLE BUNCH OF INTRO/CONCEPTUAL STUFF HERE. IT
SHOULD INCLUDE TERMINOLOGY AND POSSIBLY A CONFORMANCE
SECTION.]

2 	SAML Schema Organization and Namespaces

The XML format for SAML is primarily defined by a set of two schemas 
encoded in
W3C XML Schema form [XML-Schema1][XML-Schema2]. Additional constraints on
this format are provided by the text of this specification.

The SAML request/response protocol structures are defined in a schema 
associated with
the following XML namespace [TEMPORARY]:

http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-
protocol-19.xsd

The SAML assertion structures, which MAY be used independently of the SAML
protocol structures, are defined in a schema associated with the following XML
namespace [TEMPORARY]:

http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-
assertion-19.xsd

The assertion schema imported into the protocol schema. Also imported into 
both
schemas is the schema for XML Signature [XML-SIG-XSD], which is associated 
with
the following XML namespace:

http://www.w3.org/2000/09/xmldsig#

The XML Signature element ds:KeyInfo, defined in  [XML-SIG]4.4, is of 
particular
interest in SAML.

XML namespace prefixes are used throughout the schema code examples in this
specification to stand for their respective namespaces as follows, whether 
or not a
namespace declaration is present in the example:

?	The prefix samlp: stands for the SAML request/response protocol namespace.

?	The prefix saml: stands for the SAML assertion namespace. This is the 
default
namespace where no prefixes are provided in message protocol examples.

?	The prefix ds: stands for the XML Signature namespace.

?	The prefix xsd: stands for the XML Schema namespace. This is the default
namespace where no prefixes are provided in schema code examples.

3 	SAML Assertion Schema

A SAML assertion is a package of information that provides a statement of 
"fact"
according to the issuer of the assertion. SAML allows issuers to make three 
different
kinds of statement:

?	Authentication: The specified subject was authenticated by a particular 
means at
a particular time.

?	Authorization decision: A request to allow the specified subject to 
access the
specified object has been granted or denied.

?	Attribute: The specified subject is associated with the supplied attributes.

A SAML assertion has a nested structure. An inner AuthenticationStatement,
AuthorizationStatement, or AttributeStatement element contains the specifics
of the statement, while an outer generic Assertion element provides 
metadata about the
assertion. The metadata for an assertion MUST include at least the major 
and minor
version of the SAML syntax, a unique assertion identifier, an issuer 
identifier, and the
date and time the assertion was issued. In addition, an assertion MAY 
provide additional
conditions and advice.

The nested structure is designed to allow other specifications to add novel 
kinds of
statements that use SAML assertion metadata. Possible additional 
applications include
management of embedded trust roots [XTAML] and authorization policy 
information
[XACML].

The following schema defines the XML namespaces for the assertion schema.

<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill
Hallam-Baker (VeriSign Inc.) -->
<schema
	targetNamespace="http://www.oasis-
open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"
	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-
sstc-schema-assertion-19.xsd"
	xmlns="http://www.w3.org/2001/XMLSchema"
	elementFormDefault="unqualified">
	<import namespace="http://www.w3.org/2000/09/xmldsig#"
		schemaLocation="xmldsig-core-schema.xsd"/>
	<annotation>
		<documentation>draft-sstc-schema-assertion-19.xsd</documentation>
	</annotation>

core-19-sec1-intro-cmts.doc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC