Hi all, On Sun, 2008-01-13 at 10:26 -0500, Tom Scavo wrote:
On 1/10/08, Blair Dillaway <blaird@microsoft.com> wrote:
A few comments and questions on this draft:
Thanks for the feedback, Blair. Please see the comments below.
1) This spec effectively says that all necessary protocols and encodings have already been defined by OASIS (SAMLCore, SAMLBind, SAMLX509, SAMLPRof). If that's the case, and there's no substantive profiling required, it may be more appropriate to make this an informational document.
I tend to agree with you. It make sense.
2) The only 'profiling' statement seems to be a requirement that SAML Attributes conform to the XACML Attribute Profile. Since "Use of WS-TRUST and SAML to access a CVS" requires this, it is good for consistency. However, comments in the doc indicate some disagreement on whether this a requirement.
I was the one who inserted that comment in the doc and I still feel that way. If all we're interested in is attribute exchange (and that's precisely what this document is about), then the desired attribute profile (if any) is mostly irrelevant. The reason why it was there in the first place, was exactly the one Blair mentioned, easier compatibility with the other specifications of the WG. After the discussion, I tended to agree with Tom, that the choice may be left to developers. Probably a warning that using attributes that are convertible to XACML (so are those compliant to the XACML Attribute profile) woudl make interopration wiht other spec easier should be in a overall architectuire document.
I think the normative statement in section 4.1 about the XACML Attribute Profile can be removed altogether. In that case, your suggestion in (1) above is even more relevant.
If it changes, I think you should justify the difference in the two specs.
I don't think removing the normative language regarding the XACML Attribute Profile leads to an inconsistent family of specifications. On the contrary, removing this restriction makes this specification more usable in general.
3) Given the reliance on [SAMLX509], it seems this spec is geared toward environments relying on X.509 principal authentication. If so, you might want to make that clear in the introduction.
The use case outlined in [SAMLX509] is pretty clear about this, but yes, it can perhaps be mentioned in the introduction to the OGSA Attribute Exchange Profile. Agreed.
4) Both this spec and "Use of WS-TRUST and SAML to access a CVS" deal with attribute retrieval. It would be good clarify how this spec fits into the model used in the other WG specs (i.e., Section 3 of the latter spec) to aid readers in understanding where each is intended to be used.
Yes, I agree, especially if we choose to convert this to an informational document as you suggest. There's the Functional Components document for that. You're suggesting that a brief review of that be done also in the other specs? Infact, the requets decision specs has an architecture overview. I thin that having the architecture once in the architectire document may suffice. This is also one concerns that others have, to include an architecture overview in the specifics specs.
You may also want to provide a brief rationale for why the SAML protocol is appropriate for this spec while WS-Trust is appropriate in the latter.
I'm not sure what form this rationale would take. What alternatives to SAML attribute query are there? Moreover, I don't think it's appropriate for this spec to rationalize choices in the other spec.
The protocols are different. WS-Trust is used because you need to send an assertion to the service and get an assertion back. SAML attribute queries cannot do that. But I'll leave David comments on that.
5) I was surprised to see no discussion of mutual authentication, integrity, and confidentiality. The OASIS specs do mention various ways of handling message security, but I don't believe they mandate any specific security mechanisms.
[SAMLX509] mandates mutual authentication and suggests possible ways to achieve integrity and confidentiality. If you have comments or concerns about the security requirements in [SAMLX509], I encourage you to submit your comments to OASIS while [SAMLX509] remains in its Public Review period (through Feb 9):
http://www.oasis-open.org/archives/tc-announce/200712/msg00004.html
Also, you may want to review the proposed "SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems," which has significantly stronger security requirements than [SAMLX509].
Within grids, I would have thought people would want a message security interop profile all implementers would agree to support.
In that case, you may prefer the security requirements of the "SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems." I really would like to hear your reactions to that profile (but, please, direct your comments to OASIS, not here).
I would be interested in hearing other opinions regarding the security requirements in [SAMLX509], and whether they are adequate for the OGSA Attribute Exchange Profile. If not, we have two choices: 1) send comments to OASIS regarding [SAMLX509] and wait to see how the SSTC responds, or 2) insert the desired security requirements in the OGSA profile. Of course if we add more normative language to the OGSA profile, we won't be able to convert it to an "informational" document, but that's okay, I guess.
I think the requirements in SAMLX509 are appropiate. But a similar discussion was made for the authz decision spec, without reaching a real agreement. Valerio