OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Groups - sstc-saml2-profiles-x509-draft-11.odt uploaded


+1
abbie 

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Friday, September 29, 2006 4:24 PM
To: 'Tom Scavo'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Groups -
sstc-saml2-profiles-x509-draft-11.odt uploaded

> - It is not clear what is meant by "deployment profile."

My rough definition is any profile that simply takes an existing SAML
profile and constrains the optional behavior and choices in ways that
really don't change the original intent. To me, if I can configure
existing software that implements a profile to meet your profile, than
what you have is not a new profile in the broad sense, it's just knob
turning.

The benefit of packaging it all up is clear, I'm not arguing against
that, but it's not quite the same thing as defining wholly new profiles.

> I agree that
> the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion 
> Profile for X.509 Subjects" are not "profiles" as the word is often 
> used, but the "SAML Attribute Query Profile for X.509 Subjects" and 
> the "SAML Attribute Self-Query Profile for X.509 Subjects" are indeed 
> profiles associated with specific use cases.

Not to me. I think they're standard queries. Especially the self-query.
That's nothing but a presumption that leads to policy like "I can ask
for anything about myself". That's never been in scope, but it's always
been legal, and in 2.0 it's even directly expressible inside the request
(via Issuer == Subject).

How is that different from "SAML Attribute Query-By-Partner for X.509
Subjects"? The only difference is who's asking. I think we have to draw
a line somewhere when things start moving beyond the scope of the
standard.
There's a name for the complete set of everything you're doing at
runtime, but I think SAML profile is a little less than that.

So, "deployment profile" is my name for that sort of complete document
that lays out how a given application in some community is doing things.

> Moreover, the use case
> associated with the "SAML Attribute Query Profile for X.509 Subjects"
> is precisely the same use case that motivates the "SAML Attribute 
> Sharing Profile for X.509 Authentication-Based Systems", so if one is 
> not a profile, neither is the other.

Which I've argued repeatedly, so I don't think I'm being inconsistent.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]