[OGSA-AUTHZ] comments on "OGSA Attribute Exchange Profile Version 1.2"

David Chadwick d.w.chadwick at kent.ac.uk
Wed Jan 16 16:17:19 CST 2008 

Hi All

Valerio Venturi wrote:
> Hi all,
> 
> On Sun, 2008-01-13 at 10:26 -0500, Tom Scavo wrote:
>> On 1/10/08, Blair Dillaway <blaird at microsoft.com> wrote:
>>> A few comments and questions on this draft:
>> Thanks for the feedback, Blair.  Please see the comments below.
>>
>>> 1)      This spec effectively says that all necessary protocols and
>>> encodings have already been defined by OASIS (SAMLCore, SAMLBind, SAMLX509,
>>> SAMLPRof).  If that's the case, and there's no substantive profiling
>>> required, it may be more appropriate to make this an informational document.
>> I tend to agree with you.
> It make sense.
> 
>>> 2)      The only 'profiling' statement seems to be a requirement that SAML
>>> Attributes conform to the XACML Attribute Profile. Since "Use of WS-TRUST
>>> and SAML to access a CVS" requires this, it is good for consistency.
>>> However, comments in the doc indicate some disagreement on whether this a
>>> requirement.
>> I was the one who inserted that comment in the doc and I still feel
>> that way.  If all we're interested in is attribute exchange (and
>> that's precisely what this document is about), then the desired
>> attribute profile (if any) is mostly irrelevant.

I tend to disagree with Tom. This is a profile document that we are 
writing, to aid interworking. Given that it is a profile, then it cannot 
be irrelevant which attribute profile is used. We should standardise on 
one. The XACML one is the most appropriate one. If you want to use 
another attribute profile, then you can write a second and different 
attribute exchange profile document.

Alternatively if you allow multiple profiles to be used here, then the 
CVS will need to be told which profile is being used in order to convert 
the assertions into the XACML attributes for use by the PDP. So 
flexibility in this profile means more work by the CVS to map from 
different profiles into XACML attributes.


> The reason why it was there in the first place, was exactly the one
> Blair mentioned, easier compatibility with the other specifications of
> the WG. 

Also it aids interworking, and cuts down implementation options. That is 
the purpose of a profile.

After the discussion, I tended to agree with Tom, that the
> choice may be left to developers. Probably a warning that using
> attributes that are convertible to XACML (so are those compliant to the
> XACML Attribute profile) woudl make interopration wiht other spec easier
> should be in a overall architectuire document.

If we are writing an interoperability profile then we should eliminate 
as many options as possible. That is the purpose of profiles. If you 
leave the choice open, you do a dis-service to users and implementors 
alike who will find that their implementations wont interwork or have to 
write more code to cater for different formats.


> 
>> I think the normative statement in section 4.1 about the XACML
>> Attribute Profile can be removed altogether. 

I disagree

  In that case, your
>> suggestion in (1) above is even more relevant.
>>
>>> If it changes, I think you should justify the difference in
>>> the two specs.
>> I don't think removing the normative language regarding the XACML
>> Attribute Profile leads to an inconsistent family of specifications.
>> On the contrary, removing this restriction makes this specification
>> more usable in general.

But that is not the purpose of this (or any) profile. A profile is 
designed to restrict usage, not generalise it. Base standards are 
generic, profiles are very specific.


> 
>>> 3)      Given the reliance on [SAMLX509], it seems this spec is geared
>>> toward environments relying on X.509 principal authentication. If so, you
>>> might want to make that clear in the introduction.
>> The use case outlined in [SAMLX509] is pretty clear about this, but
>> yes, it can perhaps be mentioned in the introduction to the OGSA
>> Attribute Exchange Profile.
> Agreed.
> 
>>> 4)      Both this spec and "Use of WS-TRUST and SAML to access a CVS" deal
>>> with attribute retrieval. It would be good clarify how this spec fits into
>>> the model used in the other WG specs (i.e., Section 3 of the latter spec) to
>>> aid readers in understanding where each is intended to be used.
>> Yes, I agree, especially if we choose to convert this to an
>> informational document as you suggest.
> There's the Functional Components document for that. 

I agree. We dont want to duplicate the functional components document 
too much in the profiles. Rather we should simply point the reader to 
the Functional Components document.


You're suggesting
> that a brief review of that be done also in the other specs? Infact, the
> requets decision specs has an architecture overview. I thin that having
> the architecture once in the architectire document may suffice. This is
> also one concerns that others have, to include an architecture overview 
> in the specifics specs. 
> 
>>> You may also
>>> want to provide a brief rationale for why the SAML protocol is appropriate
>>> for this spec while WS-Trust is appropriate in the latter.
>> I'm not sure what form this rationale would take.  What alternatives
>> to SAML attribute query are there?  Moreover, I don't think it's
>> appropriate for this spec to rationalize choices in the other spec.
> 
> The protocols are different. WS-Trust is used because you need to send an assertion to the service
> and get an assertion back. SAML attribute queries cannot do that. But
> I'll leave David comments on that.

WS-Trust is converting from credentials (signed assertions) into XACML 
attributes for use by the PDP, according to a set of policy rules that 
are under the control of the resource provider.

The SAML attribute queries are designed to fetch the signed assertions 
from remote attribute authorities, which are under the control of a 
privacy policy set by the attribute authority. The resource provider has 
little or no control over this.

regards

David

> 
>>> 5)      I was surprised to see no discussion of mutual authentication,
>>> integrity, and confidentiality. The OASIS specs do mention various ways of
>>> handling message security, but I don't believe they mandate any specific
>>> security mechanisms.
>> [SAMLX509] mandates mutual authentication and suggests possible ways
>> to achieve integrity and confidentiality.  If you have comments or
>> concerns about the security requirements in [SAMLX509], I encourage
>> you to submit your comments to OASIS while [SAMLX509] remains in its
>> Public Review period (through Feb 9):
>>
>> http://www.oasis-open.org/archives/tc-announce/200712/msg00004.html
>>
>> Also, you may want to review the proposed "SAML V2.0 Attribute Sharing
>> Profile for X.509 Authentication-Based Systems," which has
>> significantly stronger security requirements than [SAMLX509].
>>> Within grids, I would have thought people would want a
>>> message security interop profile all implementers would agree to support.
>> In that case, you may prefer the security requirements of the "SAML
>> V2.0 Attribute Sharing Profile for X.509 Authentication-Based
>> Systems."  I really would like to hear your reactions to that profile
>> (but, please, direct your comments to OASIS, not here).
>>
>> I would be interested in hearing other opinions regarding the security
>> requirements in [SAMLX509], and whether they are adequate for  the
>> OGSA Attribute Exchange Profile.  If not, we have two choices: 1) send
>> comments to OASIS regarding [SAMLX509] and wait to see how the SSTC
>> responds, or 2) insert the desired security requirements in the OGSA
>> profile.  Of course if we add more normative language to the OGSA
>> profile, we won't be able to convert it to an "informational"
>> document, but that's okay, I guess.
> 
> I think the requirements in SAMLX509 are appropiate. But a similar
> discussion was made for the authz decision spec, without reaching a real
> agreement.
> 
> Valerio
> 
> 
> --
>   ogsa-authz-wg mailing list
>   ogsa-authz-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list