OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] Presumptuous comments on SAML core-19 dra ft



Eve,

	Only three pages are comming out in my copy.

		Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@sun.com]
> Sent: Wednesday, October 17, 2001 5:57 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] Presumptuous comments on SAML 
> core-19 draft
> 
> 
> I have a bunch of editorial comments on the core-19 draft.  
> As I started 
> working on the Section 1 intro and Section 1.1, I found that 
> the easiest 
> thing was to actually work on the .doc file directly; the 
> comments are 
> fairly invasive (though hopefully they're technically 
> neutral) and it would 
> be a waste of time to try to write out all the suggestions separately.
> 
> I have attached a .doc file that contains just my reworked 
> version of the 
> beginning of core-19, and below I've also supplied a text 
> version (produced 
> by saving Word as .txt with line breaks and doing a little 
> tweaking) just 
> to make it easier for people to read.
> 
> Phill, if you're amenable to these suggestions, perhaps we 
> could coordinate 
> on more such excursions over the next week or two.  I'm also 
> happy to do 
> things like making the use of Word styles more consistent, etc.
> 
> 	Eve
> 
> 			*		*		*
> 
> 1 	SAML Concepts
> 
> [WE NEED A WHOLE BUNCH OF INTRO/CONCEPTUAL STUFF HERE. IT
> SHOULD INCLUDE TERMINOLOGY AND POSSIBLY A CONFORMANCE
> SECTION.]
> 
> 2 	SAML Schema Organization and Namespaces
> 
> The XML format for SAML is primarily defined by a set of two schemas 
> encoded in
> W3C XML Schema form [XML-Schema1][XML-Schema2]. Additional 
> constraints on
> this format are provided by the text of this specification.
> 
> The SAML request/response protocol structures are defined in a schema 
> associated with
> the following XML namespace [TEMPORARY]:
> 
> http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-
> protocol-19.xsd
> 
> The SAML assertion structures, which MAY be used 
> independently of the SAML
> protocol structures, are defined in a schema associated with 
> the following XML
> namespace [TEMPORARY]:
> 
> http://www.oasis-open.org/committees/security/docs/draft-sstc-schema-
> assertion-19.xsd
> 
> The assertion schema imported into the protocol schema. Also 
> imported into 
> both
> schemas is the schema for XML Signature [XML-SIG-XSD], which 
> is associated 
> with
> the following XML namespace:
> 
> http://www.w3.org/2000/09/xmldsig#
> 
> The XML Signature element ds:KeyInfo, defined in  
> [XML-SIG]4.4, is of 
> particular
> interest in SAML.
> 
> XML namespace prefixes are used throughout the schema code 
> examples in this
> specification to stand for their respective namespaces as 
> follows, whether 
> or not a
> namespace declaration is present in the example:
> 
> ?	The prefix samlp: stands for the SAML request/response 
> protocol namespace.
> 
> ?	The prefix saml: stands for the SAML assertion 
> namespace. This is the 
> default
> namespace where no prefixes are provided in message protocol examples.
> 
> ?	The prefix ds: stands for the XML Signature namespace.
> 
> ?	The prefix xsd: stands for the XML Schema namespace. 
> This is the default
> namespace where no prefixes are provided in schema code examples.
> 
> 3 	SAML Assertion Schema
> 
> A SAML assertion is a package of information that provides a 
> statement of 
> "fact"
> according to the issuer of the assertion. SAML allows issuers 
> to make three 
> different
> kinds of statement:
> 
> ?	Authentication: The specified subject was authenticated 
> by a particular 
> means at
> a particular time.
> 
> ?	Authorization decision: A request to allow the 
> specified subject to 
> access the
> specified object has been granted or denied.
> 
> ?	Attribute: The specified subject is associated with the 
> supplied attributes.
> 
> A SAML assertion has a nested structure. An inner 
> AuthenticationStatement,
> AuthorizationStatement, or AttributeStatement element 
> contains the specifics
> of the statement, while an outer generic Assertion element provides 
> metadata about the
> assertion. The metadata for an assertion MUST include at 
> least the major 
> and minor
> version of the SAML syntax, a unique assertion identifier, an issuer 
> identifier, and the
> date and time the assertion was issued. In addition, an assertion MAY 
> provide additional
> conditions and advice.
> 
> The nested structure is designed to allow other 
> specifications to add novel 
> kinds of
> statements that use SAML assertion metadata. Possible additional 
> applications include
> management of embedded trust roots [XTAML] and authorization policy 
> information
> [XACML].
> 
> The following schema defines the XML namespaces for the 
> assertion schema.
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill
> Hallam-Baker (VeriSign Inc.) -->
> <schema
> 	targetNamespace="http://www.oasis-
> open.org/committees/security/docs/draft-sstc-schema-assertion-19.xsd"
> 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> 	
> xmlns:saml="http://www.oasis-open.org/committees/security/docs/draft-
> sstc-schema-assertion-19.xsd"
> 	xmlns="http://www.w3.org/2001/XMLSchema"
> 	elementFormDefault="unqualified">
> 	<import namespace="http://www.w3.org/2000/09/xmldsig#"
> 		schemaLocation="xmldsig-core-schema.xsd"/>
> 	<annotation>
> 		
> <documentation>draft-sstc-schema-assertion-19.xsd</documentation>
> 	</annotation>
> 

Phillip Hallam-Baker (E-mail).vcf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC