[OGSA-AUTHZ] New document. WS-TRUST/SAML profile
Yuri Demchenko
demch at science.uva.nl
Wed Apr 19 03:38:21 CDT 2006
Hi David,
I fully support the idea to define credentials validation service as
complimentary to XACML based AuthZ service.
It's known that XACML TC keeps strictly from adding attributes
validation functionality to the specification.
This service/functionality is needed and we will support its
specification.
I read both your drafts and have few general and specific questions.
Most of general questions are related to the terminology and
definition of some basic components. Below are some of them.
1) I don't know whether it is necessary to introduce in this
particular specification, that deals with credentials validation,
push and pull models (for attribute I guess?).
If you want to request attributes based on the authenticated Subject
creds/ID, this is actually Attribute Authority (AA) function. So,
why we should embed it into CVS?
Keeping CVS to perform its major function to validate presented
credentials/attributes would be more logical.
2) in WST/SAML document you have sections "4/5. Request Protocol,
Push/Push model" and "6. Response Protocol"
Is it what you mean that there will be separate request and response
protocols respectively? However currently you describe only request
and response messages.
3) Can you clarify what is meant by "WS-Trust request protocol
message" in section 4?
WST specification specifies mechanisms that can be added to other
protocols and messages especially WS related and SOAP based.
4) I can guess that in section 7 you define a new element
<SubjectAttributeReferenceAdvice> but it is not clear if there is no
currently available solutions to do intended attributes request
based on authenticated Subject ID, e.g. in GridShib to which you
refer in Request pull model in section 3.1.
5) In regard to security considerations it should be explained
somewhere how you protect CVS response message from possible tampering.
Should it be signed by CVS or the WST security mechanisms should be
used?
Other minor and document specific questions and comments I will
better provide in a form of revision of your documents.
Regards,
Yuri
David Chadwick wrote:
> Dear All
>
> please find attached my first strawman proposal for a profile for
> accessing a credential validation service/security token service/PIP.
>
> This document is the first of two. The second will be a profile for
> XACML for accessing a PDP. As you will read from the attached document,
> the input to the CVS is a set of credentials, and the output is a set of
> validated XACML attributes ready for input to the PDP. I look forward to
> your comments on the above either before or during the next GGF meeting
>
> regards
>
> David
>
>
> I have uploaded the attached to gridforge but it does not appear to be
> visible to the public yet.
>
>
More information about the ogsa-authz-wg
mailing list