Hi David, I fully support the idea to define credentials validation service as complimentary to XACML based AuthZ service. It's known that XACML TC keeps strictly from adding attributes validation functionality to the specification. This service/functionality is needed and we will support its specification. I read both your drafts and have few general and specific questions. Most of general questions are related to the terminology and definition of some basic components. Below are some of them. 1) I don't know whether it is necessary to introduce in this particular specification, that deals with credentials validation, push and pull models (for attribute I guess?). If you want to request attributes based on the authenticated Subject creds/ID, this is actually Attribute Authority (AA) function. So, why we should embed it into CVS? Keeping CVS to perform its major function to validate presented credentials/attributes would be more logical. 2) in WST/SAML document you have sections "4/5. Request Protocol, Push/Push model" and "6. Response Protocol" Is it what you mean that there will be separate request and response protocols respectively? However currently you describe only request and response messages. 3) Can you clarify what is meant by "WS-Trust request protocol message" in section 4? WST specification specifies mechanisms that can be added to other protocols and messages especially WS related and SOAP based. 4) I can guess that in section 7 you define a new element <SubjectAttributeReferenceAdvice> but it is not clear if there is no currently available solutions to do intended attributes request based on authenticated Subject ID, e.g. in GridShib to which you refer in Request pull model in section 3.1. 5) In regard to security considerations it should be explained somewhere how you protect CVS response message from possible tampering. Should it be signed by CVS or the WST security mechanisms should be used? Other minor and document specific questions and comments I will better provide in a form of revision of your documents. Regards, Yuri David Chadwick wrote:
Dear All
please find attached my first strawman proposal for a profile for accessing a credential validation service/security token service/PIP.
This document is the first of two. The second will be a profile for XACML for accessing a PDP. As you will read from the attached document, the input to the CVS is a set of credentials, and the output is a set of validated XACML attributes ready for input to the PDP. I look forward to your comments on the above either before or during the next GGF meeting
regards
David
I have uploaded the attached to gridforge but it does not appear to be visible to the public yet.