[OGSA-AUTHZ] comments on "OGSA Attribute Exchange Profile Version 1.2"

[Blair Dillaway]

A few comments and questions on this draft:


1)      This spec effectively says that all necessary protocols and encodings have already been defined by OASIS (SAMLCore, SAMLBind, SAMLX509, SAMLPRof).  If that's the case, and there's no substantive profiling required, it may be more appropriate to make this an informational document.


2)      The only 'profiling' statement seems to be a requirement that SAML Attributes conform to the XACML Attribute Profile. Since "Use of WS-TRUST and SAML to access a CVS" requires this, it is good for consistency. However, comments in the doc indicate some disagreement on whether this a requirement.  If it changes, I think you should justify the difference in the two specs.


3)      Given the reliance on [SAMLX509], it seems this spec is geared toward environments relying on X.509 principal authentication. If so, you might want to make that clear in the introduction.



4)      Both this spec and "Use of WS-TRUST and SAML to access a CVS" deal with attribute retrieval. It would be good clarify how this spec fits into the model used in the other WG specs (i.e., Section 3 of the latter spec) to aid readers in understanding where each is intended to be used. You may also want to provide a brief rationale for why the SAML protocol is appropriate for this spec while WS-Trust is appropriate in the latter.



5)      I was surprised to see no discussion of mutual authentication, integrity, and confidentiality. The OASIS specs do mention various ways of handling message security, but I don't believe they mandate any specific security mechanisms.  Within grids, I would have thought people would want a message security interop profile all implementers would agree to support.

Regards,
Blair


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-authz-wg/attachments/20080110/df8c5fed/attachment.html