Okay, I'll look at the document in more detail. I believe I already mentioned to Valerio that I think there is benefit to having two separate documents, one for the protocol and one for the attributes. This allows parts to be updated more easily and, if written properly, would allow the attributes spec to be cited by things unrelated to XACML but still wanting to the attributes you define. I'll note the SAML profile document has both protocol and attribute profiles in it. The TC botched I much of the attribute profile text and now there's errata that basically says to ignore whats in the SAML profile document, in regards to attributes, and refer to a set of other documents that are now available or in progress. Seems like avoiding the even the chance of having to do that is a good thing. David Chadwick wrote:
Hi Valerio and Chad
Valerio Venturi wrote:
Hi Chad, your work aims at satisfying the same need of one the current WG draft, Use of XACML Request Context to Obtain an Authorization Decision, last version at https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-auth...
One difference is that this one states only that the SAML V2.0 Profile for XACLM V2.0 is used for carrying the message, while yours go deeper into details and mandate to using the SAML SOAP Binding. I think this suits also the WG specification, and this is exaclty what the SAML Profile for XACML was meant to, to leverage protocols and bindings that SAML have, why XACLM doesn't.
I agree. Where there are different options that are not pinned down sufficiently tightly in the existing drafts, then we should be adding additional text in order to ensure interworking.
The other requirements seems to me sounding as well. Please keep us informed of your efforts, so that we can exhange experiences and find a convergence. David, as the main author of the XACML spec, do you think Chad's doc requirements can be received in your doc?
I have no problems with this. After all this is meant to be the WG spec that is reached by common consensus. So if most people in the WG want these additions they will be adopted.
I really hope so, since I'm
implementing those too:). Actually, when we speak of web services, most of the time is assumed you'll be using SOAP over HTTP, but I think it's worth be clear in a spec.
agreed. It is always good to explictly spell out all assumptions, since years later different people with different assumptions can read the spec and then misinterpret it.
Another thing, what about a WSDL? We are publishing one, though non normative, in the Attribute Exchange Profile. In general, I think WSDL helps adoption a lot, so it may be a good idea having one in. What do you think? Chad, needless, your comemnts on the WG doc are also very much appreciated.
I second that. We need to know which bits you agree with and which bits you dont, or which bits are not explicit enough
regards
David
Valerio
On Mon, 2007-12-03 at 06:54 -0800, Chad La Joie wrote:
For part of some EGEE work that I'm involved in I came up with a profile, in draft form currently, for the XACML over SAML protocol defined within the OASIS XACML working group. Valerio suggested that I make it available to this working group for possible adoption in your efforts.
The draft can be found here: http://switch.ch/grid/support/documents/xacmlsaml.pdf
The basic goal of the document is to restrict possible options into a baseline subset such that discreet implementations might inter-operate. I think Valerio's summary of the document, as follows, is good: - requirement for using the SAML SOAP binding as in SAMLBind - requirement for having mutual authentication between the requester and the responder - some requirements on the elements usage - requirements on authN, integrity and confidentiality
Note this document is only about interoperability at the protocol level, it does not speak to the other necessary item here which is a profile for the information (attributes) within the XACML request/response context. I know that individuals here have already been working on such a document.
Comments are welcome to the document. We will be going forward with an immediate implementation of this draft for the EGEE work, but that should only be taken as a reflection of a constrained timeline for a short-term project, not as an indication that the profile is already as good as possible.
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- SWITCH Serving Swiss Universities -------------------------- Chad La Joie, Software Engineer, Security Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 75, fax +41 44 268 15 68 chad.lajoie@switch.ch, http://www.switch.ch