[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile

David Chadwick d.w.chadwick at kent.ac.uk
Tue Dec 4 11:48:18 CST 2007 


Chad La Joie wrote:
> Okay, I'll look at the document in more detail.
> 
> I believe I already mentioned to Valerio that I think there is benefit 
> to having two separate documents, one for the protocol and one for the 
> attributes. 

Its more than just attributes. Obligations also need to be standardised.
Perhaps CRUD actions as well.

  This allows parts to be updated more easily and, if written
> properly, would allow the attributes spec to be cited by things 
> unrelated to XACML but still wanting to the attributes you define.

Agreed. This has been discussed by the WG. Its all a question of timing. 
If the attributes/obligations etc can come quickly after the protocol 
profiles this will be fine, but if it takes years then it would be too long.

regards

David

> 
> I'll note the SAML profile document has both protocol and attribute 
> profiles in it.  The TC botched I much of the attribute profile text and 
> now there's errata that basically says to ignore whats in the SAML 
> profile document, in regards to attributes, and refer to a set of other 
> documents that are now available or in progress.  Seems like avoiding 
> the even the chance of having to do that is a good thing.
> 
> David Chadwick wrote:
>> Hi Valerio and Chad
>>
>> Valerio Venturi wrote:
>>> Hi Chad,
>>> your work aims at satisfying the same need of one the current WG 
>>> draft, Use of XACML Request Context to Obtain an Authorization Decision,
>>> last version at 
>>> https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-authz/docman.root.authz_service/doc14907 
>>>
>>> One difference is that this one states only that the SAML V2.0 Profile
>>> for XACLM V2.0 is used for carrying the message, while yours go deeper
>>> into details and mandate to using the SAML SOAP Binding. I think this
>>> suits also the WG specification, and this is exaclty what the SAML
>>> Profile for XACML was meant to, to leverage protocols and bindings that
>>> SAML have, why XACLM doesn't.
>> I agree. Where there are different options that are not pinned down 
>> sufficiently tightly in the existing drafts, then we should be adding 
>> additional text in order to ensure interworking.
>>
>>
>>> The other requirements seems to me sounding as well. Please keep us
>>> informed of your efforts, so that we can exhange experiences and find a
>>> convergence. David, as the main author of the XACML spec, do you think 
>>> Chad's doc
>>> requirements can be received in your doc? 
>> I have no problems with this. After all this is meant to be the WG spec 
>> that is reached by common consensus. So if most people in the WG want 
>> these additions they will be adopted.
>>
>> I really hope so, since I'm
>>> implementing those too:). Actually, when we speak of web services, most
>>> of the time is assumed you'll be using SOAP over HTTP, but I think it's
>>> worth be clear in a spec.
>> agreed. It is always good to explictly spell out all assumptions, since 
>> years later different people with different assumptions can read the 
>> spec and then misinterpret it.
>>
>>
>>> Another thing, what about a WSDL? We are publishing one, though non
>>> normative, in the Attribute Exchange Profile. In general, I think WSDL
>>> helps adoption a lot, so it may be a good idea having one in. What do
>>> you think?  
>>> Chad, needless, your comemnts on the WG doc are also very much
>>> appreciated.
>> I second that. We need to know which bits you agree with and which bits 
>> you dont, or which bits are not explicit enough
>>
>> regards
>>
>> David
>>
>>> Valerio
>>>
>>> On Mon, 2007-12-03 at 06:54 -0800, Chad La Joie wrote:
>>>> For part of some EGEE work that I'm involved in I came up with a 
>>>> profile, in draft form currently, for the XACML over SAML protocol 
>>>> defined within the OASIS XACML working group.  Valerio suggested that 
>>>> I make it available to this working group for possible adoption in 
>>>> your efforts.
>>>>
>>>> The draft can be found here:
>>>> http://switch.ch/grid/support/documents/xacmlsaml.pdf
>>>>
>>>> The basic goal of the document is to restrict possible options into a 
>>>> baseline subset such that discreet implementations might 
>>>> inter-operate.   I think Valerio's summary of the document, as 
>>>> follows, is good:
>>>> - requirement for using the SAML SOAP binding as in SAMLBind
>>>> - requirement for having mutual authentication between the requester and
>>>> the responder
>>>> - some requirements on the elements usage
>>>> - requirements on authN, integrity and confidentiality
>>>> Note this document is only about interoperability at the protocol 
>>>> level, it does not speak to the other necessary item here which is a 
>>>> profile for the information (attributes) within the XACML 
>>>> request/response context.  I know that individuals here have already 
>>>> been working on such a document.
>>>>
>>>> Comments are welcome to the document.  We will be going forward with 
>>>> an immediate implementation of this draft for the EGEE work, but that 
>>>> should only be taken as a reflection of a constrained timeline for a 
>>>> short-term project, not as an indication that the profile is already 
>>>> as good as possible.
>>>>
>>> -- 
>>>   ogsa-authz-wg mailing list
>>>   ogsa-authz-wg at ogf.org
>>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list