OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Rev 06 of core spec -- need input

Scott and John K. have done a lot of work, and I've done a little, on 
this latest draft of the core spec.  I'm not sure where we've gotten on 
the corresponding schema changes; will try to sync this up soon.

Please make sure to review all the change-bar material and read the 
description blurb below.  Some other points that also need to be vetted:

- Slightly softened language around how message senders and messages are 

- This draft reflects the new lines we're starting to draw between 
bindings and profiles (e.g. "logout protocol bindings").  This will 
require coordination with Frederick.

- Naming is now inconsistent.  SAML previously used long names; Liberty 
shortened some for efficiency reasons.  So we now have 
<AuthenticationStatement> but <AuthnRequest>, and <NameIdentifier> but 
NameIDPolicy.  We need to decide whether (a) the inconsistency is okay, 
(b) if not, which way we go for what reasons, and (c) whether we want to 
do a full-on succinctness assault.

- The proposal for the new <ProxyRestrictionCondition> brings to light 
an old SAML ugliness: <Conditions> contains a repeatable bag of 
subelements, necessitating verbiage about what to do when more than one 
subelement appears (which has been done in the case of the new 
subelement, but not the old ones).  Options: (1) Add prose requirements 
(not expressible in XSD) that subelements MUST appear a maximum of once 
in <Conditions> (the simplest); (2) change <Conditions> 
backwards-incompatibly to contain an ordered list of 0..1 of each 
subelement (my favorite); (3) add lots more SHOULD prose to the old 
subelement descriptions, similar to what's in the new one (yuck).

- The set of protocols is now inconsistent wrt response messages.  Some 
use the <Response> element, and some use specifically named 
<RegisterNameIdentifierResponse>, <FederationTerminationResponse>, and 
<LogoutResponse>, though they're bound to the same complex type as 
<Response> is.  Which way to unify this?


Eve.Maler@Sun.COM wrote:

> The document sstc-saml-core-2.0-draft-06-diff.pdf has been submitted by Eve Maler (eve.maler@sun.com) to the OASIS Security Services TC document repository.
> Document Description:
> Added AssertionURIReference (W-19), a proposal for ProxyRestrictionCondition, and a proposal for AuthNRequest/Response (related to many work items). Fleshed out LogoutRequest/Response (W-1). Implemented the freezing of authZ decision statement functionality (W-28b). OpenOffice.org and non-change-bar PDF forms also being uploaded.
> Download Document:  
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/5600/sstc-saml-core-2.0-draft-06-diff.pdf
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=5600
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]