OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Distributed transaction scenario (and SAM LBasics slides)

Title: RE: [security-services] Distributed transaction scenario (and SAML Basics slides)
you have a misunderstanding of the distributed transaction scenario. I would urge you
to review carefully Eve's larger presentation which includes slide 53 as one small
piece. It clearly motivates and clarifies slide 53.
A key reason to bring in SAML in this context is when the sender and receiver
do NOT have direct knowledge of each other. Often the receiver is known to the sender
but not vice-versa. In such a case, the sender may interact with an authority trusted by
the receiver and obtain one or more assertions (of any type). These assertions may then
be attached to a SOAP message and sent to the receiver. The receiver is able to process
the business message in the context of the attached assertions. There is also a more
symmetric case where sender also has no knowledge of the receiver, which I believe is also
called out in one of Eve's slides.
If the sender and receiver have direct knowledge of each other (keys, certificates, identity)
then bringing SAML into the picture adds very little additional value.
- prateek
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Tuesday, June 25, 2002 10:21 AM
To: 'Eve L. Maler'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] Distributed transaction scenario (and SAM L Basics slides)

Looking at slide 53. I don't think it is wrong, but I believe the more common case would be to simply provide an Attribute Assertion with some Subject Confirmation Method that the recipient can use.

There would be no real need for SSO or to set up a distributed session. The PDP just needs to know the user's attributes. Assuming the user can arrange to sign the SOAP transaction, he or she should be able to use a signature for subject confirmation method.


> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@sun.com]
> Sent: Tuesday, June 11, 2002 1:59 PM
> To: Eve L. Maler
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Distributed transaction scenario (and
> SAML Basics slides)
> Yikes, let's try attaching the thing...
> Eve L. Maler wrote:
> > Slide 53 is the most directly relevant one, but I included
> the whole
> > thing because I've been periodically posting this
> presentation anyway...
> >  This slide shows the motivation for attaching authentication and
> > attribute assertions to a payload containing a purchase
> order.  Please
> > comment on whether there are additional scenarios that
> would deviate
> > from this relatively simple flow.
> >
> > By the way, if anyone sees anything inaccurate in the
> examples or text
> > of the preso as a whole, please let me know because I
> deliver this talk
> > relatively often and try to keep it up to date.
> >
> > Thanks,
> >
> >     Eve
> --
> Eve Maler                                    +1 781 442 3190
> Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC