OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] FW: [xacml] Potential SAML issues

-----Original Message-----
From: Sekhar Vajjhala - Sun Microsystems
Sent: Monday, January 14, 2002 4:10 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] Potential SAML issues


These are some of the potential SAML issues. Most of them
were found when attempting to write J2SE policy files
in XACML sytanx. Further discussion is needed on these

ISSUE: saml:Action is a "string"

     saml:Action is currently specified as a "string". Making Action
     an abstract type  would allow it to be extended. This would allow
     the content model to be defined by a schema external to the SAML
     Thus what constitues an action could be determined by the J2SE

ISSUE: saml:AuthorizationQuery requires actions.

     If actions are optional for XACML, then why should <saml:Actions>
     be required in <saml:AuthorizationQuery> ? Both the wording in
     the SAML assertions draft as well as the SAML schema place
     such a requirement. saml:Actions should be optional in the
     AuthorizationQuery to accomodate queries without actions.

     At least for now, I don't anticipate this as an issue for J2SE.

ISSUE: single subject in AuthorizationQuery

     saml:AuthorizationQuery currently only contains a single
     Subject. While a saml:Subject can support multiple NameIdentifier
     or SubjectConfirmation or AssertionSpecifier elements, it
     is required that they all belong to the same principal. So
     a single subject cannot be used for unrelated principals.

     In J2SE, there is a need to base access control on multiple
     principals which are not related and this therefore points to
     to a need for more than one Subject in the saml:AuthorizationQuery

     NOTE: The way out of this appears to be extend


To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC