[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile

David Chadwick d.w.chadwick at kent.ac.uk
Wed Dec 5 07:01:54 CST 2007 

Hi All

It is obvious that we cannot agree on the full set of useful attributes, 
actions, obligations etc in any short space of time. We will need 
operational experience with a number of applications, in order to 
determine what needs to be standardised. So the document that does this 
will take a year or two to produce. It might even be several documents.

However, we do have experience of using some of these already. So the 
approach I took in the current draft was to document the minimum useful 
subset, get these out now, and then do the rest over a longer timeframe.

This is not the first time I have experience of doing this sort of 
thing. Back in the 1980s we did the same thing with X.500. In the base 
standard we put a set of commonly usable attribute types, object 
classes, structure rules etc. and then over a longer time frame several 
Internet RFCs were written that specified other standard attribute types 
  object classes etc. The definition of EduPerson schema was a 
continuation of this and took years to produce (like watching paint dry 
was the comment of one of the authors).

So I think it would be folly to not include any attributes etc in the 
current protocol specs, since I dont expect such a separate document to 
produced in a short time frame.

Putting the definitions in separate sections or Annexes to the main 
protocol spec is fine. This is simply document re-structuring and does 
not effect its contents.

regards

David


Valerio Venturi wrote:
> David Chadwick wrote:
>> Chad La Joie wrote:
>>  
>>> Okay, I'll look at the document in more detail.
>>>
>>> I believe I already mentioned to Valerio that I think there is 
>>> benefit to having two separate documents, one for the protocol and 
>>> one for the attributes.     
>>
>> Its more than just attributes. Obligations also need to be standardised.
>> Perhaps CRUD actions as well.
>>
>>   This allows parts to be updated more easily and, if written
>>  
>>> properly, would allow the attributes spec to be cited by things 
>>> unrelated to XACML but still wanting to the attributes you define.
>>>     
>>
>> Agreed. This has been discussed by the WG. Its all a question of 
>> timing. If the attributes/obligations etc can come quickly after the 
>> protocol profiles this will be fine, but if it takes years then it 
>> would be too long.
>>   
> Yes, same problems that for the attributes and the attribute exchange 
> profile. And not a straightforward solution. The problem here is more 
> complicated, because while agreeing on a format for VO attributes won't 
> take much, agreeing on identifiers for obligations, actions, and 
> whatelse seems a hard work.
> But that mean also that probably putting them now in a specification is 
> premature, and we cannot claim to have consensus on those, while for the 
> protocol we are at agood point.
> What about extracting them to an appendix, may be in form of examples? 
> Would that be a good trade off?
> 
> Valerio
>> regards
>>
>> David
>>
>>  
>>> I'll note the SAML profile document has both protocol and attribute 
>>> profiles in it.  The TC botched I much of the attribute profile text 
>>> and now there's errata that basically says to ignore whats in the 
>>> SAML profile document, in regards to attributes, and refer to a set 
>>> of other documents that are now available or in progress.  Seems like 
>>> avoiding the even the chance of having to do that is a good thing.
>>>
>>> David Chadwick wrote:
>>>    
>>>> Hi Valerio and Chad
>>>>
>>>> Valerio Venturi wrote:
>>>>      
>>>>> Hi Chad,
>>>>> your work aims at satisfying the same need of one the current WG 
>>>>> draft, Use of XACML Request Context to Obtain an Authorization 
>>>>> Decision,
>>>>> last version at 
>>>>> https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-authz/docman.root.authz_service/doc14907 
>>>>>
>>>>> One difference is that this one states only that the SAML V2.0 Profile
>>>>> for XACLM V2.0 is used for carrying the message, while yours go deeper
>>>>> into details and mandate to using the SAML SOAP Binding. I think this
>>>>> suits also the WG specification, and this is exaclty what the SAML
>>>>> Profile for XACML was meant to, to leverage protocols and bindings 
>>>>> that
>>>>> SAML have, why XACLM doesn't.
>>>>>         
>>>> I agree. Where there are different options that are not pinned down 
>>>> sufficiently tightly in the existing drafts, then we should be 
>>>> adding additional text in order to ensure interworking.
>>>>
>>>>
>>>>      
>>>>> The other requirements seems to me sounding as well. Please keep us
>>>>> informed of your efforts, so that we can exhange experiences and 
>>>>> find a
>>>>> convergence. David, as the main author of the XACML spec, do you 
>>>>> think Chad's doc
>>>>> requirements can be received in your doc?         
>>>> I have no problems with this. After all this is meant to be the WG 
>>>> spec that is reached by common consensus. So if most people in the 
>>>> WG want these additions they will be adopted.
>>>>
>>>> I really hope so, since I'm
>>>>      
>>>>> implementing those too:). Actually, when we speak of web services, 
>>>>> most
>>>>> of the time is assumed you'll be using SOAP over HTTP, but I think 
>>>>> it's
>>>>> worth be clear in a spec.
>>>>>         
>>>> agreed. It is always good to explictly spell out all assumptions, 
>>>> since years later different people with different assumptions can 
>>>> read the spec and then misinterpret it.
>>>>
>>>>
>>>>      
>>>>> Another thing, what about a WSDL? We are publishing one, though non
>>>>> normative, in the Attribute Exchange Profile. In general, I think WSDL
>>>>> helps adoption a lot, so it may be a good idea having one in. What do
>>>>> you think?  Chad, needless, your comemnts on the WG doc are also 
>>>>> very much
>>>>> appreciated.
>>>>>         
>>>> I second that. We need to know which bits you agree with and which 
>>>> bits you dont, or which bits are not explicit enough
>>>>
>>>> regards
>>>>
>>>> David
>>>>
>>>>      
>>>>> Valerio
>>>>>
>>>>> On Mon, 2007-12-03 at 06:54 -0800, Chad La Joie wrote:
>>>>>        
>>>>>> For part of some EGEE work that I'm involved in I came up with a 
>>>>>> profile, in draft form currently, for the XACML over SAML protocol 
>>>>>> defined within the OASIS XACML working group.  Valerio suggested 
>>>>>> that I make it available to this working group for possible 
>>>>>> adoption in your efforts.
>>>>>>
>>>>>> The draft can be found here:
>>>>>> http://switch.ch/grid/support/documents/xacmlsaml.pdf
>>>>>>
>>>>>> The basic goal of the document is to restrict possible options 
>>>>>> into a baseline subset such that discreet implementations might 
>>>>>> inter-operate.   I think Valerio's summary of the document, as 
>>>>>> follows, is good:
>>>>>> - requirement for using the SAML SOAP binding as in SAMLBind
>>>>>> - requirement for having mutual authentication between the 
>>>>>> requester and
>>>>>> the responder
>>>>>> - some requirements on the elements usage
>>>>>> - requirements on authN, integrity and confidentiality
>>>>>> Note this document is only about interoperability at the protocol 
>>>>>> level, it does not speak to the other necessary item here which is 
>>>>>> a profile for the information (attributes) within the XACML 
>>>>>> request/response context.  I know that individuals here have 
>>>>>> already been working on such a document.
>>>>>>
>>>>>> Comments are welcome to the document.  We will be going forward 
>>>>>> with an immediate implementation of this draft for the EGEE work, 
>>>>>> but that should only be taken as a reflection of a constrained 
>>>>>> timeline for a short-term project, not as an indication that the 
>>>>>> profile is already as good as possible.
>>>>>>
>>>>>>           
>>>>> -- 
>>>>>   ogsa-authz-wg mailing list
>>>>>   ogsa-authz-wg at ogf.org
>>>>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>>>
>>>>>         
>>
>>   
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list