[OGSA-AUTHZ] Comments on "Use of SAML for OGSA AUthorization"

dane at fnal.gov dane at fnal.gov
Mon Jan 3 11:57:41 CST 2005 

Here is my set of comments.
Dane

*** Substantive Issues ***

Section 6.a.ii Element <SubjectAttributeReferenceAdvice>
The schema fragment indicates an unbounded maxOccurs of element
AttributeDesignator. Does the error response for a receiver overflow
need to be specified or is this inherited from the SAML (or
unnecessary since it's an advice element) ?

Section 6.b, attribute Recipient
The specification states the requirements for this attribute when the
initiating ExtendedAuthorizationDecisionQuery contains a Recipient
attribute, but does not state requirements when the initiating
ExtendedAuthorizationDecisionQuery does not. Is it "MAY" or "SHOULD
NOT" in that case?

Section 7.a (Extended) AuthorizationDecisionQuery
The "client MUST" at the beginning of this section seems to me to
proclude the possibility of a client giving blanket authorization for
some action (say the equiv of reading a webpage). Should the section
rather start "An OGSA client SHOULD request an authorization decision.
A client requesting an authorization decision MUST do so using either
..." ?

Section 7.a X.509 Proxy Certificate Format Identifier
Reference [ProxyCerts] seems to me should point to RFC 3820
and be normative. What is the reason to reference (only) the workshop
paper ?

Section 7.a.2.i SubjectConfirmation Element
The condition "authenticated using the Grid Security Infrastructure"
would seem to me to require a normative reference in a normative
section. Is there a normative reference available or should this be
defined here ?

Section 7.a.2.ii.1 Grid Services
The condition "is a Grid service" would seem to me to require a
normative reference in a normative section. Is there a normative
reference available or should this be defined here ?

Section 7.a.2.ii.2 Wildcard Resource
Bullet 1 under this section states the desire to be "to learn the
subject's rights on all the resources of which the authorization
service is aware." This seems like an unbounded desire and not the
obligation we wish to imply on the authorization service. Should this
rather be "all resources for which the authorization service believes
itself to be authoritative" ?

Section 8.c Full WSDL
This section shows WSDL to create an "OGSI SAML Grid Authorization
Service". However, this doc is about using SAML for OGSA
authorization. This rather read "OGSA SAML ..." ?

I would suggest that Section 17 was a useful primer for
discussion/creation of this document, but should be removed from the
final form of this specification document (keep them clean). It would
be nice to capture this text as a working document in the WG as a
short background summary. Implementers with questions (ie. the
primary audience for this document) about SAML
should be referred to the normative SAML docs.



 *** Editorial comments ***

The "ogsa-saml" XML namespace isn't at the URI listed. Is this a
chicken and the egg problem or a problem with the website ?
(there are others as well inside the doc)

Section 4, paragraph 2, sentence 1, should read "... and it is upon
this version of SAML ..."

Section 5a, subbullet 1, sentence 3, should read "... if all actions
were allowed or ..."

Section 6.a, attribute RequestedSigned, sentence 2: should this read
" This element SHOULD contain the QName..." ?

Section 6.b, element "Recipient"
Should this element me tagged "[Optional]" with the explanitory text
below or is the convention to leave such conditionals untagged ?

Section 6.b, paragraph 3 has a spelling error for
<SimpleAuthorizationDecisionStatement>  (missing the 3rd "i")

Section 7, paragraph 1, sentence 2, should read "... used to meet OGSA
requirements ..." (transposition)

Section 7.a.2
Should the phrase "domain of resources" be defined ? <Is this defined
in the AuthZ glossary ?>

Section 7.a.4
Should the list of things an Evidence element may contain be
enumerated as a list itself or left inline (I found referents tough to
determine clearly).

Section 7.a.2.i
The editor's note on X509PKiPathv1 remains. This needs to be resolved
and removed.

Section 7.a.2.ii Resource String
Should this sentence begin rather "The Resource string MUST be "*" ...
" ?

Section 7.a.2.iii.2 Grid Service Data Access
There seems a number mismatch in sentence 1. Should it read rather
"... (SDEs) associated with a Grid Service ..."

Section 7.a.2.iii.2 (various places)
Should the text read rather "The action string SHOULD contain the
QName..."

Section 7.b.i Conditions Element, Paragraph 2, sentence 3 should read
"... using, for example, elements of XACML."
(I'm not sure if the section numbering change is an artifact of my
OpenOffice or the .doc)

Section 7.b.iii AuthorizationDecisionStatement Element, paragraph 2
should read "... render a decision due to ..."

Section 7.b.iv AttributeStatement Element should expand the RBAC
acronym (first use)

Section 7.b.v Signature Element should read "... places no constraints
on ..."

Section 8.a.ii supportsIndeterminate should read "... may not allow
the return of indeterminate."

More information about the ogsa-authz-wg mailing list