OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups -sstc-saml2-profiles-x509-draft-11.odt uploaded


I agree with your definition of "deployment profile" but I'm thinking that I should not change the document name scheme for the original attribute sharing "profile" with the new draft, to avoid confusion w.r.t. to the document's history/status.


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, September 29, 2006 4:24 PM
> To: 'Tom Scavo'; security-services@lists.oasis-open.org
> Subject: RE: [security-services] Groups -
> sstc-saml2-profiles-x509-draft-11.odt uploaded
> > - It is not clear what is meant by "deployment profile."
> My rough definition is any profile that simply takes an existing SAML
> profile and constrains the optional behavior and choices in 
> ways that really
> don't change the original intent. To me, if I can configure existing
> software that implements a profile to meet your profile, than 
> what you have
> is not a new profile in the broad sense, it's just knob turning.
> The benefit of packaging it all up is clear, I'm not arguing 
> against that,
> but it's not quite the same thing as defining wholly new profiles.
> > I agree that
> > the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion
> > Profile for X.509 Subjects" are not "profiles" as the word is often
> > used, but the "SAML Attribute Query Profile for X.509 Subjects" and
> > the "SAML Attribute Self-Query Profile for X.509 Subjects" 
> are indeed
> > profiles associated with specific use cases.
> Not to me. I think they're standard queries. Especially the 
> self-query.
> That's nothing but a presumption that leads to policy like "I 
> can ask for
> anything about myself". That's never been in scope, but it's 
> always been
> legal, and in 2.0 it's even directly expressible inside the 
> request (via
> Issuer == Subject).
> How is that different from "SAML Attribute Query-By-Partner for X.509
> Subjects"? The only difference is who's asking. I think we 
> have to draw a
> line somewhere when things start moving beyond the scope of 
> the standard.
> There's a name for the complete set of everything you're 
> doing at runtime,
> but I think SAML profile is a little less than that.
> So, "deployment profile" is my name for that sort of complete 
> document that
> lays out how a given application in some community is doing things.
> > Moreover, the use case
> > associated with the "SAML Attribute Query Profile for X.509 
> Subjects"
> > is precisely the same use case that motivates the "SAML Attribute
> > Sharing Profile for X.509 Authentication-Based Systems", so 
> if one is
> > not a profile, neither is the other.
> Which I've argued repeatedly, so I don't think I'm being inconsistent.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]