[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] ISSUE: NameIdentifier specification needs tobe clarified
>As I see it, the current definition of NameIdentifier is >generic enough that we could easily end up with conflicting >"profiles", as happened in the early days of X509 certificates. >How do we represent an X500 DNAME? what about email addresses? >In the absence of specific guidelines, I'm afraid we'll end >up with the usual mess of standards-compliant software that >doesn't interoperate. I agree that we need to clarify the semantics of NameIdentifiers (core-27 section 2.4.2.2, lines 631). Furthermore, without a structured definition and processing rules for Security Domains, support for basic interoperability of Name Identifiers, a core element of SAML 1.0, may not be achievable. Hence, I think we do need to improve the schema definition of NameIdentifier such that following high level requirements, implicitly assumed in SAML 1.0, are satisfied: 1. NameIdentifier's Security Domain Interoperability Support It is required that SAML processing systems be able to resolve and interpret security domains in a sematically consistent manner. 2. Domain-qualified Naming Systems Support Need ability to model a principal's Name w.r.t. its Security Domain such that we do not have name identifier value collisions. The Security Domain may or may not be the same as the Issuer. Use of security domain should be optional. 3. Enable Federated Identity Processing To support federated identity systems for a range of applications, SAML must support extensible content models for Security Domains. Analysis of Above Requirements Requirements #1 and #2 above imply that SAML 1.0 support an optional way to employ concrete definitions of Security Domains. URI based definitions is one option to achieve interoperabiluty via formalized and agreed-upon definitions of Security Domains although I would prefer NOT making it the only way to model Security Domains. However, we must allow extensions of Security Domain models, as requirement #3 states, such that they fit better w.r.t. differing name identifiers context, for example, LDAP, Kerberos, etc. that we have previously discussed as part of the current issue. Hence, I recommend following changes in core-27: 1) Model Abstract Security Domains SAML 1.0 define an abstract definition of Security Domain that captures general properties of a Security Domain. The Abstract Security Domain can be extended by concrete definitions of Security Domains by SAML enabled applications in terms of the semantics of their applications needs. 2) Concrete Definition of Security Domain Additionally, SAML 1.0 also include one concrete definition of Security Domain that may be used by SAML applications. In line with this here is a possible sub-schema that we can employ to modify latest SAML 1.0 Core-27 schema. This schema supports URI-based Security domain optionally. It also is supposed to allow instantiation of NameIdentifers w/o Security Domains. Lastly, SAML implementors can have the option of extending the Security Domain via the domain abstraction included here. NOTE: the XML schema here may need to be changed, but it is here mostly here as a starting point to model above approach. <!-- // Abstract_SecurityDomain type - primitive definition // of Security Domains --> <xsd:complexType name="Abstract_SecurityDomain" abstract="true"> <xsd:sequence> <xsd:element name="SecurityDomainID" type="xsd:string" maxOccurs="1"/> </xsd:sequence> </xsd:complexType> <!-- // SecurityDomain Element that optionally may include URIs --> <xsd:element name="ConcreteSecurityDomain"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="Abstract_SecurityDomain"> <xsd:attribute name="SecurityDomainURI" type="xsd:anyURI"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <!-- // NameIdentifierType definition that optionally may contain // a Security Domain element --> <xsd:complexType name="NameIdentifierType"> <xsd:sequence> <xsd:element name="SecurityDomain" type="Abstract_SecurityDomain" minOccurs="0" maxOccurs="1"/> </xsd:sequence> <xsd:attribute name="Name" type="xsd:string"/> </xsd:complexType> thanks, Zahid Zahid Ahmed Commerce Security Architect Commerce One, Inc. 408-517-3903 -----Original Message----- From: Irving Reid <Irving.Reid@baltimore.com> Sent: Monday, February 25, 2002 09:12:09 -0500 To: security-services@lists.oasis-open.org Subject: [security-services] ISSUE: NameIdentifier specification needs to beclarified I'd like to formally raise an issue that we need to clarify the semantics of NameIdentifiers (core-27 section 2.4.2.2, lines 631ff. There has been some discussion on the list, starting with message "RE: [security-services] NameIdentifier proposed change (Sun L3 comment)" (http://lists.oasis-open.org/archives/security-services/200202/msg00123.html ) As I see it, the current definition of NameIdentifier is generic enough that we could easily end up with conflicting "profiles", as happened in the early days of X509 certificates. How do we represent an X500 DNAME? what about email addresses? In the absence of specific guidelines, I'm afraid we'll end up with the usual mess of standards-compliant software that doesn't interoperate. Here's a proposal, to get the debate going. The SecurityDomain attribute on NameIdentifier is changed to an anyURI. SAML defines specific URI values, within the SAML URI namespace, to identify certain well known identifier formats such as X500 DNAME and Internet email address. In these cases, the content of the Name portion is the entire identifier. For example (using Eve's proposed non-empty element format): <NameIdentifier SecurityDomain="http://www.oasis-open.org/committees/security/docs/draft-sst c-core-27#email">irving@baltimore.com</NameIdentifier> <NameIdentifier SecurityDomain="http://www.oasis-open.org/committees/security/docs/draft-sst c-core-27#X500-dname">cn=Irving Reid,ou=Engineering,o=baltimore.com</NameIdentifier> SAML applications SHOULD use defined SecurityDomain values and name formats whenever possible. If anyone else thinks this is a good idea, we can work up the normative language. - irving -
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC