OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Comments on Attributes in Draft 08e-draft-03-diff

[Mike McI., can you please forward to the XACML TC list?  Thanks.]

Hi Anne,

In the SAML F2F this week, we've just finished discussing the proposed 
SAML attribute statement/query changes, and we've made some (hopefully 
final) decisions in this area.  We wanted to feed this information back 
to you, and particularly ask if you can discuss one remaining issue with 
the XACML TC in your meeting tomorrow morning (and get back to us 
immediately afterwards if possible, since we're meeting through Thursday 
noonish Central Time).

Anne Anderson wrote:

> Some problems with the specification of Attributes in Draft 08:
> 1. NameFormat [Required]
>      A URI reference representing the classification of
>      the attribute name for purposes of interpreting the name.
>      See Section 7.x for some URI references that MAY be used as
>      the value of the NameFormat attribute and their associated
>      descriptions and processing rules.  If no NameFormat value
>      is provided, the identifier
>      urn:oasis:names:tc:SAML:2.0:attname-format:unspecified (see
>      Section 7.x) is in effect.  Type="anyURI".
>    Comment: If NameFormat is intended to map to a schema
>      specification (or surrogate) in which the name is defined,
>      please say so.  "A URI reference representing the
>      classification of the attribute name for purposes of
>      interpreting the name" could mean as many things to as many
>      people as "NameQualifier" and "NameSpace" did.

The NameFormat is just an identifying URI, and has no expressed 
connection to a schema; this concept is used throughout SAML (e.g., 
NameIdentifierFormat) and is not new here.  If you want to suggest any 
prose clarifications along these lines, I'd be grateful.

We discussed the problem of providing too many vague options in this 
area, and finally satisfied ourselves that keeping a required Name and 
offering an *optional* NameFormat with a default of "...unspecified" 
corresponds most closely to the behavior and wishes of most SAML users. 
  Using a NameFormat of "...uri" (or inventing your own) gives other 
populations the ability to specify more of the interpretation 
assumptions in-band.  We felt that this was the best compromise in 
service of both interop and the reality on the ground.  XACML folks 
would probably use "...uri".

> 2. Source [Optional]
>      The source location or database from which the attribute
>      came.  Interpretation of the source information is
>      application-specific.  Type="string".
>    Comment:
>      Is source a "database type" or a specific database
>      repository location?  If it is a repository location, say so
>      and make the type "anyURI", saying it SHOULD be a URL.
>      Also, if Source remains of type "string", there is the
>      possibility of name collisions.

We decided to eliminate Source.  This was an attempt to provide a second 
field for those who prefer a two-part attribute name, the way we 
(roughly) used to have with AttributeName and AttributeNamespace, but we 
agreed that it was too loose to provide any interop usefulness to 
anyone.  For those who want that second name part, we provided the 
<anyAttribute> wildcard, about which more below.

> 3. Arbitrary attributes
>      This complex type uses an <xsd:anyAttribute> extension point
>      to allow for arbitrary XML attributes to be added to
>      <Attribute> constructs without the need for an explicit
>      schema extension.  This allows additional fields to be added
>      as needed to supply the context in which the attribute
>      should be understood.  SAML extensions MUST NOT add local
>      (non-namespace-qualified) XML attribuets to the
>      AttributeType complex type or to any element bound to this
>      type or a derivations of it; such attributes are reserved
>      for future maintenance and enhancement of SAML itself.
>    Comment:
>      The addition of facilities such as this guarantees
>      non-interoperability and makes it impossible to specify
>      standard mappings to other Attribute formats.  It is likely
>      to be mis-used, and common mis-uses then become defacto
>      standards that everyone has to work around.  Define any
>      number of specific, optional attributes instead, but make
>      sure each has a VERY clear semantic.

SAML has a number of explicit extensibility points, through which we try 
to govern the *forms* of extension while not (much) constraining what 
extenders do; the goal is to gain measures of both interop and 
flexibility.  The <anyAttribute> wildcard is one mechanism among many 
that we employ.  You may want to see our schema extensibility position 
paper for more thoughts on this subject.[1]

Today we agreed to add an <anyAttribute> wildcard to AttributeDesignator 
to allow for application-specific enhanced querying, as well as 
retaining <anyAttribute> on Attribute to allow for application-specific 
scoping etc.

> 4. Name and NameFormat
>    Comment: will these ever be used separately?  Does anyone ever
>      want "all instances of the 'gorp' Attribute", regardless of
>      the NameFormat, or "all instances of Attributes with
>      NameFormat 'urn:oasis:tc:xacml:', regardless of the
>      Attribute's Name.  If not, at least define ONE scheme for
>      the NameFormat URI (such as "urn:") so that NameFormat and
>      Name can be concatenated using a single known separator
>      character (such as ":").  This will make mapping much easier
>      for systems that require unique identifiers for Attributes.
>      Even better would be to specify one unique name combining
>      Name and NameFormat.

As noted above, Name is nominally (ha) a unitary name field, and 
NameFormat simply explains how to interpret it; this is qualitatively 
different from the old AttributeName/AttributeNamespace pair, which was 
truly two-part.  The NameFormat field has two SAML-predefined values 
("...unspecified" and "...uri"), and anyone can define others.  Please 
let us know if this remains unclear; I'm hoping that our new Baseline 
Attributes document will help explicate.

> 5. ValueType
>    Comment: Reconsider making this "required" instead of
>      "optional".  Other standards groups have discovered that a
>      data type is necessary in the Attribute metadata in order to
>      handle type checking.  Having it be optional means only
>      certain Attributes can be handled easily by systems that
>      require type checking.

On reflection, we would actually like to eliminate ValueType.  The 
theory is that, given the unconnectedness/skew of this notion to the 
xsi:type method of governing attribute values, plus the lack of 
expressed need by native SAML users for a URI-based typing mechanism, 
this is best done by the addition of a global attribute through 
<anyAttribute>; this puts the burden of semantic clarity on the definer.

So we are anticipating that the XACML profile of SAML may define one or 
more attributes here, most urgently something like an xacml:ValueType 
attribute; you would be free to prohibit any further extension.  Our new 
Baseline Attributes document would explain how to do this. (Note that 
you would be free to define such XACML extensions using XML Schema if 
you wished, though the <anyAttribute> formulation doesn't require it.)

We specifically were hoping for feedback on the acceptability of adding 
an XACML-specific ValueType attribute vs. having a SAML-native ValueType 




Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]