OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - sstc-saml2-profiles-x509-draft-11.odt uploaded

> - It is not clear what is meant by "deployment profile."

My rough definition is any profile that simply takes an existing SAML
profile and constrains the optional behavior and choices in ways that really
don't change the original intent. To me, if I can configure existing
software that implements a profile to meet your profile, than what you have
is not a new profile in the broad sense, it's just knob turning.

The benefit of packaging it all up is clear, I'm not arguing against that,
but it's not quite the same thing as defining wholly new profiles.

> I agree that
> the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion
> Profile for X.509 Subjects" are not "profiles" as the word is often
> used, but the "SAML Attribute Query Profile for X.509 Subjects" and
> the "SAML Attribute Self-Query Profile for X.509 Subjects" are indeed
> profiles associated with specific use cases.

Not to me. I think they're standard queries. Especially the self-query.
That's nothing but a presumption that leads to policy like "I can ask for
anything about myself". That's never been in scope, but it's always been
legal, and in 2.0 it's even directly expressible inside the request (via
Issuer == Subject).

How is that different from "SAML Attribute Query-By-Partner for X.509
Subjects"? The only difference is who's asking. I think we have to draw a
line somewhere when things start moving beyond the scope of the standard.
There's a name for the complete set of everything you're doing at runtime,
but I think SAML profile is a little less than that.

So, "deployment profile" is my name for that sort of complete document that
lays out how a given application in some community is doing things.

> Moreover, the use case
> associated with the "SAML Attribute Query Profile for X.509 Subjects"
> is precisely the same use case that motivates the "SAML Attribute
> Sharing Profile for X.509 Authentication-Based Systems", so if one is
> not a profile, neither is the other.

Which I've argued repeatedly, so I don't think I'm being inconsistent.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]