[wss] SAML Token Profile comments

[Frederick.Hirsch@nokia.com]

I have some comments on the Web Services Security: SAML Token Profile draft 6, 21 Feb 03
---
(1) Section 2.3, [97]-[98]

Perhaps this section can be populated as follows (including using W3C terminology 
( http://www.w3.org/TR/2002/WD-ws-gloss-20021114/ ):

* Invocation identity - subject of SAML assertion, party that requests service when message is processed.

* Sender - SOAP sender, either a SOAP intermediary or an initial soap sender. A sender is a proxy when its identity differs from the invocation identity.

* Relying Party - recipient of message that relies on message and message assertions to provide invoked service

* Service - invocation responder, providing service - (relying party acting as service provider)

* SAML Authority - Party that has signed SAML assertion, usually a trusted third party.

I propose that Author is confusing and "initial SOAP sender" should be used instead.

---
(2) clarify Security Token section 3.3

Some minor changes suggested to make this section clearer:

[151]-[152] 
Replace "The three forms of token references..." with

"Only the Key Identifier token reference may be used with the SAML Token Profile:"

[170] Move Binding description before Location description [164]

[175] Add the following line after [175], before [176}
"The following token references defined in the WSS: SOAP Message Security specification cannot be used with SAML tokens:"

[208] replace "preferred" with "only"

[213]-[214] replace "Methods to reference..." 
with 
"The STR-Transform may be used to reference a SAML token from a ds:Reference, as defined in the WSS: SOAP Message Security specification."

----
(3) Example bug fix
A > is needed for the wsse:KeyIdentifier element at [266], [279]

----
(4) Delegated invocation

[303] remove the sentence:
"Note that the high-level...between message author and message sender..attacks"
The discussion does distinguish between sender and invoker and isn't that all that matters here?

[311] Add the following: (intent is to explain model in 3.4.1)
The Holder-Of-Key method assumes the invoker of a service to be the initial SOAP sender or a SOAP intermediary, 
and requires the sender to prove knowledge of a key.

[329]editorial:
"element in the same <wsse:Security> element as contains the token."

[332] where are the canonicalization and "token inclusion rules" defined in WSS:SOAP Message Security?

[421] replace joe@yahoo.com with joe@an.example.com

[462] Add
The sender-vouches confirmation method allows an invoker to delegate to a sender the ability to vouch for their
identity.

[579] replace portal@yahoo.com with portal@place.example.com

-----
(5) 
[18], [57], [60], [292], [462] [595], [596], [602], [604], [612], [614], [618], [645], [648], [651]
replace WS-Security with WSS: SOAP Message Security

[613] Does inappropriate delegation open a new threat? Presumably addressed by SAML authority signing assertions
as noted later in 3.6.2

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>