[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Dec 4 11:48:18 CST 2007
Chad La Joie wrote:
> Okay, I'll look at the document in more detail.
>
> I believe I already mentioned to Valerio that I think there is benefit
> to having two separate documents, one for the protocol and one for the
> attributes.
Its more than just attributes. Obligations also need to be standardised.
Perhaps CRUD actions as well.
This allows parts to be updated more easily and, if written
> properly, would allow the attributes spec to be cited by things
> unrelated to XACML but still wanting to the attributes you define.
Agreed. This has been discussed by the WG. Its all a question of timing.
If the attributes/obligations etc can come quickly after the protocol
profiles this will be fine, but if it takes years then it would be too long.
regards
David
>
> I'll note the SAML profile document has both protocol and attribute
> profiles in it. The TC botched I much of the attribute profile text and
> now there's errata that basically says to ignore whats in the SAML
> profile document, in regards to attributes, and refer to a set of other
> documents that are now available or in progress. Seems like avoiding
> the even the chance of having to do that is a good thing.
>
> David Chadwick wrote:
>> Hi Valerio and Chad
>>
>> Valerio Venturi wrote:
>>> Hi Chad,
>>> your work aims at satisfying the same need of one the current WG
>>> draft, Use of XACML Request Context to Obtain an Authorization Decision,
>>> last version at
>>> https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-authz/docman.root.authz_service/doc14907
>>>
>>> One difference is that this one states only that the SAML V2.0 Profile
>>> for XACLM V2.0 is used for carrying the message, while yours go deeper
>>> into details and mandate to using the SAML SOAP Binding. I think this
>>> suits also the WG specification, and this is exaclty what the SAML
>>> Profile for XACML was meant to, to leverage protocols and bindings that
>>> SAML have, why XACLM doesn't.
>> I agree. Where there are different options that are not pinned down
>> sufficiently tightly in the existing drafts, then we should be adding
>> additional text in order to ensure interworking.
>>
>>
>>> The other requirements seems to me sounding as well. Please keep us
>>> informed of your efforts, so that we can exhange experiences and find a
>>> convergence. David, as the main author of the XACML spec, do you think
>>> Chad's doc
>>> requirements can be received in your doc?
>> I have no problems with this. After all this is meant to be the WG spec
>> that is reached by common consensus. So if most people in the WG want
>> these additions they will be adopted.
>>
>> I really hope so, since I'm
>>> implementing those too:). Actually, when we speak of web services, most
>>> of the time is assumed you'll be using SOAP over HTTP, but I think it's
>>> worth be clear in a spec.
>> agreed. It is always good to explictly spell out all assumptions, since
>> years later different people with different assumptions can read the
>> spec and then misinterpret it.
>>
>>
>>> Another thing, what about a WSDL? We are publishing one, though non
>>> normative, in the Attribute Exchange Profile. In general, I think WSDL
>>> helps adoption a lot, so it may be a good idea having one in. What do
>>> you think?
>>> Chad, needless, your comemnts on the WG doc are also very much
>>> appreciated.
>> I second that. We need to know which bits you agree with and which bits
>> you dont, or which bits are not explicit enough
>>
>> regards
>>
>> David
>>
>>> Valerio
>>>
>>> On Mon, 2007-12-03 at 06:54 -0800, Chad La Joie wrote:
>>>> For part of some EGEE work that I'm involved in I came up with a
>>>> profile, in draft form currently, for the XACML over SAML protocol
>>>> defined within the OASIS XACML working group. Valerio suggested that
>>>> I make it available to this working group for possible adoption in
>>>> your efforts.
>>>>
>>>> The draft can be found here:
>>>> http://switch.ch/grid/support/documents/xacmlsaml.pdf
>>>>
>>>> The basic goal of the document is to restrict possible options into a
>>>> baseline subset such that discreet implementations might
>>>> inter-operate. I think Valerio's summary of the document, as
>>>> follows, is good:
>>>> - requirement for using the SAML SOAP binding as in SAMLBind
>>>> - requirement for having mutual authentication between the requester and
>>>> the responder
>>>> - some requirements on the elements usage
>>>> - requirements on authN, integrity and confidentiality
>>>> Note this document is only about interoperability at the protocol
>>>> level, it does not speak to the other necessary item here which is a
>>>> profile for the information (attributes) within the XACML
>>>> request/response context. I know that individuals here have already
>>>> been working on such a document.
>>>>
>>>> Comments are welcome to the document. We will be going forward with
>>>> an immediate implementation of this draft for the EGEE work, but that
>>>> should only be taken as a reflection of a constrained timeline for a
>>>> short-term project, not as an indication that the profile is already
>>>> as good as possible.
>>>>
>>> --
>>> ogsa-authz-wg mailing list
>>> ogsa-authz-wg at ogf.org
>>> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list