[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Presumptuous comments on SAML core-19 dra ft
Eve, Only three pages are comming out in my copy. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Eve L. Maler [mailto:eve.maler@sun.com] > Sent: Wednesday, October 17, 2001 5:57 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] Presumptuous comments on SAML > core-19 draft > > > I have a bunch of editorial comments on the core-19 draft. > As I started > working on the Section 1 intro and Section 1.1, I found that > the easiest > thing was to actually work on the .doc file directly; the > comments are > fairly invasive (though hopefully they're technically > neutral) and it would > be a waste of time to try to write out all the suggestions separately. > > I have attached a .doc file that contains just my reworked > version of the > beginning of core-19, and below I've also supplied a text > version (produced > by saving Word as .txt with line breaks and doing a little > tweaking) just > to make it easier for people to read. > > Phill, if you're amenable to these suggestions, perhaps we > could coordinate > on more such excursions over the next week or two. I'm also > happy to do > things like making the use of Word styles more consistent, etc. > > Eve > > * * * > > 1 SAML Concepts > > [WE NEED A WHOLE BUNCH OF INTRO/CONCEPTUAL STUFF HERE. IT > SHOULD INCLUDE TERMINOLOGY AND POSSIBLY A CONFORMANCE > SECTION.] > > 2 SAML Schema Organization and Namespaces > > The XML format for SAML is primarily defined by a set of two schemas > encoded in > W3C XML Schema form [XML-Schema1][XML-Schema2]. Additional > constraints on > this format are provided by the text of this specification. > > The SAML request/response protocol structures are defined in a schema > associated with > the following XML namespace [TEMPORARY]: > > http://www.oasis-open.org/committees/security/docs/draft-sstc-schema- > protocol-19.xsd > > The SAML assertion structures, which MAY be used > independently of the SAML > protocol structures, are defined in a schema associated with > the following XML > namespace [TEMPORARY]: > > http://www.oasis-open.org/committees/security/docs/draft-sstc-schema- > assertion-19.xsd > > The assertion schema imported into the protocol schema. Also > imported into > both > schemas is the schema for XML Signature [XML-SIG-XSD], which > is associated > with > the following XML namespace: > > http://www.w3.org/2000/09/xmldsig# > > The XML Signature element ds:KeyInfo, defined in > [XML-SIG]§4.4, is of > particular > interest in SAML. > > XML namespace prefixes are used throughout the schema code > examples in this > specification to stand for their respective namespaces as > follows, whether > or not a > namespace declaration is present in the example: > > ? The prefix samlp: stands for the SAML request/response > protocol namespace. > > ? The prefix saml: stands for the SAML assertion > namespace. This is the > default > namespace where no prefixes are provided in message protocol examples. > > ? The prefix ds: stands for the XML Signature namespace. > > ? The prefix xsd: stands for the XML Schema namespace. > This is the default > namespace where no prefixes are provided in schema code examples. > > 3 SAML Assertion Schema > > A SAML assertion is a package of information that provides a > statement of > "fact" > according to the issuer of the assertion. SAML allows issuers > to make three > different > kinds of statement: > > ? Authentication: The specified subject was authenticated > by a particular > means at > a particular time. > > ? Authorization decision: A request to allow the > specified subject to > access the > specified object has been granted or denied. > > ? Attribute: The specified subject is associated with the > supplied attributes. > > A SAML assertion has a nested structure. An inner > AuthenticationStatement, > AuthorizationStatement, or AttributeStatement element > contains the specifics > of the statement, while an outer generic Assertion element provides > metadata about the > assertion. The metadata for an assertion MUST include at > least the major > and minor > version of the SAML syntax, a unique assertion identifier, an issuer > identifier, and the > date and time the assertion was issued. In addition, an assertion MAY > provide additional > conditions and advice. > > The nested structure is designed to allow other > specifications to add novel > kinds of > statements that use SAML assertion metadata. Possible additional > applications include > management of embedded trust roots [XTAML] and authorization policy > information > [XACML]. > > The following schema defines the XML namespaces for the > assertion schema. > > <?xml version="1.0" encoding="UTF-8"?> > <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill > Hallam-Baker (VeriSign Inc.) --> > <schema > targetNamespace="http://www.oasis- > open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > > xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft- > sstc-schema-assertion-19.xsd" > xmlns="http://www.w3.org/2001/XMLSchema" > elementFormDefault="unqualified"> > <import namespace="http://www.w3.org/2000/09/xmldsig#" > schemaLocation="xmldsig-core-schema.xsd"/> > <annotation> > > <documentation>draft-sstc-schema-assertion-19.xsd</documentation> > </annotation> >
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC