Here is my set of comments. Dane *** Substantive Issues *** Section 6.a.ii Element <SubjectAttributeReferenceAdvice> The schema fragment indicates an unbounded maxOccurs of element AttributeDesignator. Does the error response for a receiver overflow need to be specified or is this inherited from the SAML (or unnecessary since it's an advice element) ? Section 6.b, attribute Recipient The specification states the requirements for this attribute when the initiating ExtendedAuthorizationDecisionQuery contains a Recipient attribute, but does not state requirements when the initiating ExtendedAuthorizationDecisionQuery does not. Is it "MAY" or "SHOULD NOT" in that case? Section 7.a (Extended) AuthorizationDecisionQuery The "client MUST" at the beginning of this section seems to me to proclude the possibility of a client giving blanket authorization for some action (say the equiv of reading a webpage). Should the section rather start "An OGSA client SHOULD request an authorization decision. A client requesting an authorization decision MUST do so using either ..." ? Section 7.a X.509 Proxy Certificate Format Identifier Reference [ProxyCerts] seems to me should point to RFC 3820 and be normative. What is the reason to reference (only) the workshop paper ? Section 7.a.2.i SubjectConfirmation Element The condition "authenticated using the Grid Security Infrastructure" would seem to me to require a normative reference in a normative section. Is there a normative reference available or should this be defined here ? Section 7.a.2.ii.1 Grid Services The condition "is a Grid service" would seem to me to require a normative reference in a normative section. Is there a normative reference available or should this be defined here ? Section 7.a.2.ii.2 Wildcard Resource Bullet 1 under this section states the desire to be "to learn the subject's rights on all the resources of which the authorization service is aware." This seems like an unbounded desire and not the obligation we wish to imply on the authorization service. Should this rather be "all resources for which the authorization service believes itself to be authoritative" ? Section 8.c Full WSDL This section shows WSDL to create an "OGSI SAML Grid Authorization Service". However, this doc is about using SAML for OGSA authorization. This rather read "OGSA SAML ..." ? I would suggest that Section 17 was a useful primer for discussion/creation of this document, but should be removed from the final form of this specification document (keep them clean). It would be nice to capture this text as a working document in the WG as a short background summary. Implementers with questions (ie. the primary audience for this document) about SAML should be referred to the normative SAML docs. *** Editorial comments *** The "ogsa-saml" XML namespace isn't at the URI listed. Is this a chicken and the egg problem or a problem with the website ? (there are others as well inside the doc) Section 4, paragraph 2, sentence 1, should read "... and it is upon this version of SAML ..." Section 5a, subbullet 1, sentence 3, should read "... if all actions were allowed or ..." Section 6.a, attribute RequestedSigned, sentence 2: should this read " This element SHOULD contain the QName..." ? Section 6.b, element "Recipient" Should this element me tagged "[Optional]" with the explanitory text below or is the convention to leave such conditionals untagged ? Section 6.b, paragraph 3 has a spelling error for <SimpleAuthorizationDecisionStatement> (missing the 3rd "i") Section 7, paragraph 1, sentence 2, should read "... used to meet OGSA requirements ..." (transposition) Section 7.a.2 Should the phrase "domain of resources" be defined ? <Is this defined in the AuthZ glossary ?> Section 7.a.4 Should the list of things an Evidence element may contain be enumerated as a list itself or left inline (I found referents tough to determine clearly). Section 7.a.2.i The editor's note on X509PKiPathv1 remains. This needs to be resolved and removed. Section 7.a.2.ii Resource String Should this sentence begin rather "The Resource string MUST be "*" ... " ? Section 7.a.2.iii.2 Grid Service Data Access There seems a number mismatch in sentence 1. Should it read rather "... (SDEs) associated with a Grid Service ..." Section 7.a.2.iii.2 (various places) Should the text read rather "The action string SHOULD contain the QName..." Section 7.b.i Conditions Element, Paragraph 2, sentence 3 should read "... using, for example, elements of XACML." (I'm not sure if the section numbering change is an artifact of my OpenOffice or the .doc) Section 7.b.iii AuthorizationDecisionStatement Element, paragraph 2 should read "... render a decision due to ..." Section 7.b.iv AttributeStatement Element should expand the RBAC acronym (first use) Section 7.b.v Signature Element should read "... places no constraints on ..." Section 8.a.ii supportsIndeterminate should read "... may not allow the return of indeterminate."