[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Comments on Attributes in Draft 08e-draft-03-diff
[Mike McI., can you please forward to the XACML TC list? Thanks.] Hi Anne, In the SAML F2F this week, we've just finished discussing the proposed SAML attribute statement/query changes, and we've made some (hopefully final) decisions in this area. We wanted to feed this information back to you, and particularly ask if you can discuss one remaining issue with the XACML TC in your meeting tomorrow morning (and get back to us immediately afterwards if possible, since we're meeting through Thursday noonish Central Time). Anne Anderson wrote: > Some problems with the specification of Attributes in Draft 08: > > 1. NameFormat [Required] > A URI reference representing the classification of > the attribute name for purposes of interpreting the name. > See Section 7.x for some URI references that MAY be used as > the value of the NameFormat attribute and their associated > descriptions and processing rules. If no NameFormat value > is provided, the identifier > urn:oasis:names:tc:SAML:2.0:attname-format:unspecified (see > Section 7.x) is in effect. Type="anyURI". > > Comment: If NameFormat is intended to map to a schema > specification (or surrogate) in which the name is defined, > please say so. "A URI reference representing the > classification of the attribute name for purposes of > interpreting the name" could mean as many things to as many > people as "NameQualifier" and "NameSpace" did. The NameFormat is just an identifying URI, and has no expressed connection to a schema; this concept is used throughout SAML (e.g., NameIdentifierFormat) and is not new here. If you want to suggest any prose clarifications along these lines, I'd be grateful. We discussed the problem of providing too many vague options in this area, and finally satisfied ourselves that keeping a required Name and offering an *optional* NameFormat with a default of "...unspecified" corresponds most closely to the behavior and wishes of most SAML users. Using a NameFormat of "...uri" (or inventing your own) gives other populations the ability to specify more of the interpretation assumptions in-band. We felt that this was the best compromise in service of both interop and the reality on the ground. XACML folks would probably use "...uri". > 2. Source [Optional] > The source location or database from which the attribute > came. Interpretation of the source information is > application-specific. Type="string". > > Comment: > Is source a "database type" or a specific database > repository location? If it is a repository location, say so > and make the type "anyURI", saying it SHOULD be a URL. > Also, if Source remains of type "string", there is the > possibility of name collisions. We decided to eliminate Source. This was an attempt to provide a second field for those who prefer a two-part attribute name, the way we (roughly) used to have with AttributeName and AttributeNamespace, but we agreed that it was too loose to provide any interop usefulness to anyone. For those who want that second name part, we provided the <anyAttribute> wildcard, about which more below. > 3. Arbitrary attributes > This complex type uses an <xsd:anyAttribute> extension point > to allow for arbitrary XML attributes to be added to > <Attribute> constructs without the need for an explicit > schema extension. This allows additional fields to be added > as needed to supply the context in which the attribute > should be understood. SAML extensions MUST NOT add local > (non-namespace-qualified) XML attribuets to the > AttributeType complex type or to any element bound to this > type or a derivations of it; such attributes are reserved > for future maintenance and enhancement of SAML itself. > > Comment: > The addition of facilities such as this guarantees > non-interoperability and makes it impossible to specify > standard mappings to other Attribute formats. It is likely > to be mis-used, and common mis-uses then become defacto > standards that everyone has to work around. Define any > number of specific, optional attributes instead, but make > sure each has a VERY clear semantic. SAML has a number of explicit extensibility points, through which we try to govern the *forms* of extension while not (much) constraining what extenders do; the goal is to gain measures of both interop and flexibility. The <anyAttribute> wildcard is one mechanism among many that we employ. You may want to see our schema extensibility position paper for more thoughts on this subject.[1] Today we agreed to add an <anyAttribute> wildcard to AttributeDesignator to allow for application-specific enhanced querying, as well as retaining <anyAttribute> on Attribute to allow for application-specific scoping etc. > 4. Name and NameFormat > > Comment: will these ever be used separately? Does anyone ever > want "all instances of the 'gorp' Attribute", regardless of > the NameFormat, or "all instances of Attributes with > NameFormat 'urn:oasis:tc:xacml:', regardless of the > Attribute's Name. If not, at least define ONE scheme for > the NameFormat URI (such as "urn:") so that NameFormat and > Name can be concatenated using a single known separator > character (such as ":"). This will make mapping much easier > for systems that require unique identifiers for Attributes. > Even better would be to specify one unique name combining > Name and NameFormat. As noted above, Name is nominally (ha) a unitary name field, and NameFormat simply explains how to interpret it; this is qualitatively different from the old AttributeName/AttributeNamespace pair, which was truly two-part. The NameFormat field has two SAML-predefined values ("...unspecified" and "...uri"), and anyone can define others. Please let us know if this remains unclear; I'm hoping that our new Baseline Attributes document will help explicate. > 5. ValueType > > Comment: Reconsider making this "required" instead of > "optional". Other standards groups have discovered that a > data type is necessary in the Attribute metadata in order to > handle type checking. Having it be optional means only > certain Attributes can be handled easily by systems that > require type checking. On reflection, we would actually like to eliminate ValueType. The theory is that, given the unconnectedness/skew of this notion to the xsi:type method of governing attribute values, plus the lack of expressed need by native SAML users for a URI-based typing mechanism, this is best done by the addition of a global attribute through <anyAttribute>; this puts the burden of semantic clarity on the definer. So we are anticipating that the XACML profile of SAML may define one or more attributes here, most urgently something like an xacml:ValueType attribute; you would be free to prohibit any further extension. Our new Baseline Attributes document would explain how to do this. (Note that you would be free to define such XACML extensions using XML Schema if you wished, though the <anyAttribute> formulation doesn't require it.) We specifically were hoping for feedback on the acceptability of adding an XACML-specific ValueType attribute vs. having a SAML-native ValueType attribute. Thanks! Eve [1] http://www.oasis-open.org/committees/download.php/5227/sstc-maler-schema-extension-02-diff.pdf -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]