[OGSA-AUTHZ] New document. WS-TRUST/SAML profile

[Yuri Demchenko]

Hi David,

I fully support the idea to define credentials validation service as 
complimentary to XACML based AuthZ service.

It's known that XACML TC keeps strictly from adding attributes 
validation functionality to the specification.

This service/functionality is needed and we will support its 
specification.

I read both your drafts and have few general and specific questions.

Most of general questions are related to the terminology and 
definition of some basic components. Below are some of them.

1) I don't know whether it is necessary to introduce in this 
particular specification, that deals with credentials validation, 
push and pull models (for attribute I guess?).

If you want to request attributes based on the authenticated Subject 
  creds/ID, this is actually Attribute Authority (AA) function. So, 
why we should embed it into CVS?

Keeping CVS to perform its major function to validate presented 
credentials/attributes would be more logical.

2) in WST/SAML document you have sections "4/5. Request Protocol, 
Push/Push model" and "6. Response Protocol"

Is it what you mean that there will be separate request and response 
protocols respectively? However currently you describe only request 
and response messages.

3) Can you clarify what is meant by "WS-Trust request protocol 
message" in section 4?

WST specification specifies mechanisms that can be added to other 
protocols and messages especially WS related and SOAP based.

4) I can guess that in section 7 you define a new element 
<SubjectAttributeReferenceAdvice> but it is not clear if there is no 
currently available solutions to do intended attributes request 
based on authenticated Subject ID, e.g. in GridShib to which you 
refer in  Request pull model in section 3.1.

5) In regard to security considerations it should be explained 
somewhere how you protect CVS response message from possible tampering.

Should it be signed by CVS or the WST security mechanisms should be 
used?

Other minor and document specific questions and comments I will 
better provide in a form of revision of your documents.

Regards,

Yuri

David Chadwick wrote:

> Dear All
> 
> please find attached my first strawman proposal for a profile for 
> accessing a credential validation service/security token service/PIP.
> 
> This document is the first of two. The second will be a profile for 
> XACML for accessing a PDP. As you will read from the attached document, 
> the input to the CVS is a set of credentials, and the output is a set of 
> validated XACML attributes ready for input to the PDP. I look forward to 
> your comments on the above either before or during the next GGF meeting
> 
> regards
> 
> David
> 
> 
> I have uploaded the attached to gridforge but it does not appear to be 
> visible to the public yet.
> 
>