Takuya, Apologies for the slow response to your comments. My responses are embedded below. Von Takuya Mori writes (21:35 March 13, 2005):
Hi All,
Please find my comments on the SAML AuthZ Service Document in the below:
1. 5.1 Element <ExtendedAuthorizationDecisionQuery> Request Signed Element - How the client should behave if it gets unsigned response although it has requested signed one? - Does a client has a free choice for the behavior? ie. A client may ignore the response if it isn't signed even if it has requested a signed response.
I think it ultimately up to the client in this case. I've added the following line to the end of the paragraph: An entity receiving an unsigned response when they requested a signature SHOULD disregard it, but MAY choose to use it depending on the application context.
2. 6.1.1 NameIdentifier Element - the NameQualifier element is open for the use by applications? IMO, it is good to make it open for application usage
My understanding from speaking to those in the SAML community is that the NameQualifier field in underspecified and its best to avoid it as many implementation don't have appropriate tooling for dealing with it. We don't talk about the NameQualifier at the moment. It's not clear to me it's a good idea to introduce it at this point.
3. 6.1.2 SubjectConfirmation Element - Does the confirmationMethod still be set to http://www.gridforum.org/ogsa-authz/saml/2004/01/am/gsi? even if the subject confirmation method contains X509 Id cert.
Good question. I'm inclined to say that if no proxy certificate was involved in the authentication it SHOULD be marked as standard X509, but leave the door open for implementatins to mark it as GSI if they don't distinguish between EEC and PCs. My proposed text: <quote> If the subject was authenticated using a Proxy Certificates, the ConfirmationMethod element MUST contain the following URI: http://www.gridforum.org/ogsa-authz/saml/2004/01/am/gsi If the subject was authenticated using a standard X.509 Identify Certificates, the ConfirmationMethod element SHOULD contain the following URI (as defined by [SAML]), however it MAY contain the URI for Proxy Certificate authentication in the event an implementation does not distinguish between the two. URI: urn:oasis:names:tc:SAML:1.0:am:X509-PKI </quote>
- How a responder (authz svc) should behave if the data of a subject is supplied in the SubjectConfirmation Element? Is it required to validate the data?
I assume you mean if the data was NOT supplied. It's not required and it's presence is a SHOULD not a MUST. So I think it's fairly clear a client can't rely on it being there.
4. 6.1.4 Action Elements - I think it would be better to define the string representation more specific. The QName of the operation would be better.
Let me ask our implementors and see what they have done. Von
Hope it isn't late, Takuya Mori
---- Takuya Mori