OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] draft-sstc-meta-data-00.doc

I did review the metadata document awhile back, but haven't had time to write up my comments.  Since I seemed to have turned into an insomniac, I'm finally making time to send my comments. 

 

First, thanks for starting this effort.  It's a good start.  Please see my comments embedded in the document...

 

To summarize my key points:

  1. I recommend sticking to "Asserting Party" and "Relying Party" terminology rather than "Source Site" and "Destination Site", etc.
  2. I also recommend using names for the various services that are used in the main specs (e.g. "Artifact Receiver Service", "SAML SOAP Binding Service")
  3. I think there's still quite a bit of metadata missing... For example:
    1. Type of artifact being used (Type 1 or Type 2)
    2. Supported SAML Authentication Methods
    3. DSig requirements - Whether to sign requests, responses, and/or assertions; the C14N algorithm being used, etc.
    4. Agreed-upon Subject Name Qualifiers being used between the partners
    5. Agreed-upon Attribute NameSpaces being used between the partners.
    6. Names of supplemental schemas required for document validation (e.g. for when external schemas are used to describe complex attribute values).
    7. Web SSO Assertion contents (just Authn Statements? Attribute Statements?)
    8. What SubjectLocality info is provided.
    9. Etc.

 

 

To address some of these issues, perhaps we want to consider a small sub-committee to go off and work this topic a bit further rather than trying to deal with them all in the regular TC meeting.

 

Thoughts?

 

Rob Philpott
RSA Security Inc.
The Most Trusted Name in e-Security
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Tuesday, November 12, 2002 12:00 PM
To: 'security-services@lists.oasis-open.org'
Subject: [security-services] draft-sstc-meta-data-00.doc

 

Colleagues,

 

Attached is a first draft enumerating the metadata required for the Web Browser Profiles. It is based on the SAML Catalyst InterOp experience and related Liberty Alliance meta-data. It lacks schema and the language is still informal.

 

Questions ---

 

Does it capture all the required metadata for implementing BOTH web browser profiles?

 

Are the types of different elements appropriate?

 

Comments are invited.

 

- prateek  

Attachment: draft-sstc-saml-meta-data-00.doc
Description: MS-Word document

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC