[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] FW: [xacml] Potential SAML issues
-----Original Message----- From: Sekhar Vajjhala - Sun Microsystems [mailto:sekhar.vajjhala@sun.com] Sent: Monday, January 14, 2002 4:10 PM To: xacml@lists.oasis-open.org Subject: [xacml] Potential SAML issues SAML ISSUES These are some of the potential SAML issues. Most of them were found when attempting to write J2SE policy files in XACML sytanx. Further discussion is needed on these issues. ISSUE: saml:Action is a "string" saml:Action is currently specified as a "string". Making Action an abstract type would allow it to be extended. This would allow the content model to be defined by a schema external to the SAML spec. Thus what constitues an action could be determined by the J2SE schema. ISSUE: saml:AuthorizationQuery requires actions. If actions are optional for XACML, then why should <saml:Actions> be required in <saml:AuthorizationQuery> ? Both the wording in the SAML assertions draft as well as the SAML schema place such a requirement. saml:Actions should be optional in the AuthorizationQuery to accomodate queries without actions. At least for now, I don't anticipate this as an issue for J2SE. ISSUE: single subject in AuthorizationQuery saml:AuthorizationQuery currently only contains a single Subject. While a saml:Subject can support multiple NameIdentifier or SubjectConfirmation or AssertionSpecifier elements, it is required that they all belong to the same principal. So a single subject cannot be used for unrelated principals. In J2SE, there is a need to base access control on multiple principals which are not related and this therefore points to to a need for more than one Subject in the saml:AuthorizationQuery NOTE: The way out of this appears to be extend SubjectQueryAbstractType. -- Sekhar ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC