Re: [security-services] Groups - sstc-saml2-profiles-x509-draft-11.odt uploaded

["Tom Scavo" <trscavo@gmail.com>]

[Unless otherwise noted, all references to "this document" within this
message refer to the document cited in the subject line.  For further
reference, note that this document contains four subprofiles:

SAML V2.0 Profiles for X.509 Subjects:
1. X.509 SAML Subject Profile
2. SAML Assertion Profile for X.509 Subjects
3. SAML Attribute Query Profile for X.509 Subjects
4. SAML Attribute Self-Query Profile for X.509 Subjects

These subprofiles are referred to by name below.]

To summarize the disposition of this document:

It was decided on the last two calls that this document be withdrawn
from consideration, and that Ari draft a new revision of the "SAML
Attribute Sharing Profile for X.509 Authentication-Based Systems".  It
was further recommended that this document be renamed and resubmitted
as the initial installment of a completely new document stream.  The
term "deployment profile" was used to describe this new document.

The above is my interpretation of the discussion thus far.  Please
correct me if you took away a different interpretation.

That said, I have decided not to fork a new document stream at this
time, for the following reasons:

- No formal comments have been received regarding this document, but
Scott has offered some general comments regarding this family of
documents.  These comments should be addressed in any new document
submitted to the SSTC.  Thus this document should be rewritten to take
these comments into account.

- Ari's forthcoming rewrite of the "SAML Attribute Sharing Profile for
X.509 Authentication-Based Systems" will no doubt overlap
significantly with this document (since the history of both can be
traced to the same root ancestor).  Until I've had a chance to review
Ari's work, it seems unwise to fork a competing document stream.

- It is not clear what is meant by "deployment profile."  I agree that
the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion
Profile for X.509 Subjects" are not "profiles" as the word is often
used, but the "SAML Attribute Query Profile for X.509 Subjects" and
the "SAML Attribute Self-Query Profile for X.509 Subjects" are indeed
profiles associated with specific use cases.  Moreover, the use case
associated with the "SAML Attribute Query Profile for X.509 Subjects"
is precisely the same use case that motivates the "SAML Attribute
Sharing Profile for X.509 Authentication-Based Systems", so if one is
not a profile, neither is the other.

So all in all, I think it's best to wait and see how the "SAML
Attribute Sharing Profile for X.509 Authentication-Based Systems"
shakes out.  In the meantime, our group is implementing a complete
end-to-end solution for this use case based on SAML V1.1 technology.
This experience will help us better understand the profile
requirements of this use case.

Best regards,

Tom Scavo
NCSA/University of Illinois

On 29 Aug 2006 19:43:59 -0000, tscavo@ncsa.uiuc.edu
<tscavo@ncsa.uiuc.edu> wrote:
> The document named sstc-saml2-profiles-x509-draft-11.odt has been submitted
> by Tom Scavo* to the OASIS Security Services (SAML) TC document
> repository.
>
> Document Description:
> SAML V2.0 Profiles for X.509 Subjects (ODT)
>
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=19999
>
> Download Document:
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/19999/sstc-saml2-profiles-x509-draft-11.odt
>
>
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
>
> -OASIS Open Administration
>