[OGSA-AUTHZ] SAML AuthZ Service Document Comments

Von Welch vwelch at ncsa.uiuc.edu
Wed May 18 11:23:43 CDT 2005 

Takuya,

 Apologies for the slow response to your comments. My responses are
embedded below.

Von

Takuya Mori writes (21:35 March 13, 2005):
 > Hi All,
 > 
 > Please find my comments on the SAML AuthZ Service Document in the
 > below:
 > 
 > 1. 5.1 Element <ExtendedAuthorizationDecisionQuery>
 >   Request Signed Element
 >   - How the client should behave if it gets unsigned response although
 >     it has requested signed one?
 >   - Does a client has a free choice for the behavior?  
 >     ie. A client may ignore the response if it isn't signed even if
 >         it has requested a signed response.

I think it ultimately up to the client in this case. I've added the
following line to the end of the paragraph:

An entity receiving an unsigned response when they requested a
signature SHOULD disregard it, but MAY choose to use it depending on
the application context.

 > 2. 6.1.1 NameIdentifier Element
 >  - the NameQualifier element is open for the use by applications?
 >    IMO, it is good to make it open for application usage

My understanding from speaking to those in the SAML community is that
the NameQualifier field in underspecified and its best to avoid it as
many implementation don't have appropriate tooling for dealing with
it.

We don't talk about the NameQualifier at the moment. It's not clear to
me it's a good idea to introduce it at this point.

 > 
 > 3. 6.1.2 SubjectConfirmation Element 
 >  - Does the confirmationMethod still be set to 
 >    http://www.gridforum.org/ogsa-authz/saml/2004/01/am/gsi?  
 >    even if the subject confirmation method contains X509 Id cert.

Good question. I'm inclined to say that if no proxy certificate was
involved in the authentication it SHOULD be marked as standard X509,
but leave the door open for implementatins to mark it as GSI if they
don't distinguish between EEC and PCs.

My proposed text:

<quote>
If the subject was authenticated using a Proxy Certificates, the
ConfirmationMethod element MUST contain the following URI:

http://www.gridforum.org/ogsa-authz/saml/2004/01/am/gsi

If the subject was authenticated using a standard X.509 Identify
Certificates, the ConfirmationMethod element SHOULD contain the
following URI (as defined by [SAML]), however it MAY contain the URI
for Proxy Certificate authentication in the event an implementation
does not distinguish between the two.

URI: urn:oasis:names:tc:SAML:1.0:am:X509-PKI
</quote>

 >  - How a responder (authz svc) should behave if the data of a subject 
 >    is supplied in the SubjectConfirmation Element?  Is it required 
 >    to validate the data?

I assume you mean if the data was NOT supplied.

It's not required and it's presence is a SHOULD not a MUST. So I think
it's fairly clear a client can't rely on it being there.

 > 4. 6.1.4 Action Elements
 >  - I think it would be better to define the string representation
 >    more specific.  The QName of the operation would be better.

Let me ask our implementors and see what they have done.

Von

 > 
 > Hope it isn't late,
 > Takuya Mori
 > 
 > ----
 >     Takuya Mori

More information about the ogsa-authz-wg mailing list