security-services message

Subject: RE: [security-services] Question on the use of <RespondWith>
From: "Mishra, Prateek" <pmishra@netegrity.com>
To: "'Sanfilippo, Joe'" <joe.sanfilippo@commerceone.com>,"'security-services@lists.oasis-open.org'"<security-services@lists.oasis-open.org>
Date: Wed, 16 Jan 2002 18:13:32 -0500
Joe,
 
the <RespondWith> element is a very recent addition to the spec. It appears
to originate out of some fairly high-level discussion at F2F#5. I have
generated a separate message pointing out some of the complexities around
<RespondWith>.
 
http://lists.oasis-open.org/archives/security-services/200201/msg00136.html
<http://lists.oasis-open.org/archives/security-services/200201/msg00136.html
> 

 

 
 
I believe that the basic assumption in the request/response protocols was
that a response might contain any number of assertions containing any number
of statements of any type. Therefore, a conformant processor would have to
take care of all three levels of variation (not a big deal, IMHO). 
 
The <RespondWith> element appears to be an attempt to discipline this
process BUT I dont see that its semantics are clearly specified. We need to
figure out if we can reasonably add some constraint of this type or remove
it from the specification.
 
[Prateek Mishra] 
 
[JS]
 
 
 I have a question on the use of <RespondWith> in the RequestAbstractType of
the protocol. How would this be used to obtain an Assertion with multiple
Statements? In general, are there a use cases (maybe to be added to the
binding model)  that define when multiple Statements within a single
assertion would be returned to a client? Is there a use case for multiple
Statements of different types within the same Assertion?

Any pointers to discussion threads on this topic would be appreciated. 

For example, I would like to obtain both Authentication information and
Attribute information. It appears that there is a great deal of flexibility
in the spec for doing this which may lead to interoperability issues.

Here are some potential ways to do it... 
1) Separate Request/Response pairs 
    <Request ...> 
      <RespondWith>AuthenticationStatement</RespondWith> 
      <AuthenticationQuery...>  
  </Request> 

  <Response ...> 
      <Status>...</Status> 
        <Assertion ...> 
          <AuthenticationStatement ...> 
      </Assertion> 
  </Response> 

    <Request ...> 
      <RespondWith>AttributeStatement</RespondWith> 
      <AttributeQuery...>       
  </Request> 

  <Response ...> 
      <Status>...</Status> 
        <Assertion ...> 
          <AttributeStatement ...> 
      </Assertion> 
  </Response> 

2) Multiple Assertions returned in a single Request/Response 
    <Request ...> 
      <RespondWith>AuthenticationStatement</RespondWith> 
      <RespondWith>AttributeStatement</RespondWith> 
      <AuthenticationQuery...>  
  </Request> 

  <Response ...> 
      <Status>...</Status> 
        <Assertion ...> 
          <AuthenticationStatement ...> 
      </Assertion> 
        <Assertion ...> 
          <AttributeStatement ...> 
      </Assertion> 
  </Response> 

3)Single Assertion with multiple Statements in a single Request/Response 
    <Request ...> 
      <RespondWith>MultipleStatement</RespondWith> <!-- Is this how it
works? --> 
      <RespondWith>AuthenticationStatement</RespondWith> 
      <RespondWith>AttributeStatement</RespondWith> 
      <AuthenticationQuery...>  
  </Request> 

  <Response ...> 
      <Status>...</Status> 
        <Assertion ...> 
          <AuthenticationStatement ...> 
          <AttributeStatement ...> 
      </Assertion> 
  </Response> 

Thanks, 
Joe 

Joe Sanfilippo 
Commerce One 
19191 Vallco Parkway, Cupertino, CA 95014 
Tel 408 517 9245; Fax 408 517 3992 
joe.sanfilippo@commerceone.com