[ogsa-wg] SAML profile of XACML is NOT deprecated

Thu Mar 8 08:08:48 CST 2007

Yes, I think there was some confusion about this issue at OGF19.  It
is the SAML authorization decision statement that is "deprecated".
The OASIS SSTC has said that it will not develop or profile the
authorization decision statement further.  (In the SAML V2.0 Core
spec, it is said that the AuthzDecisionStatement is "frozen".)
Instead, folks are encouraged to consider XACML.

Tom Scavo
NCSA

On 3/8/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
> Here is the original message from Anne Anderson
>
> regards
>
> David
>
>
> -------- Original Message --------
> Subject: Re: [OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML
> Date: Mon, 26 Feb 2007 14:01:44 -0500
> From: Anne Anderson - Sun Microsystems <Anne.Anderson at sun.com>
> Reply-To: Anne.Anderson at sun.com
> Organisation: Sun Microsystems, Inc.
> To: David Chadwick <d.w.chadwick at kent.ac.uk>
> CC: Yuri Demchenko <demch at science.uva.nl>, OGSA AUTHZ WG
> <ogsa-authz-wg at ogf.org>
> References: <45D1DABA.4050507 at kent.ac.uk>
> <45DC756B.5090104 at science.uva.nl> <45DCAB9B.7080508 at kent.ac.uk>
>
> The original SAML 1.0 Authorization Decision Query and Statement were
> "frozen" as of SAML 2.0, with a reference to the "SAML 2.0 profile of
> XACML v2.0" as a suggested replacement.
>
> The "SAML 2.0 profile of XACML v2.0" is very much alive and has not been
> deprecated; it is a full OASIS and ITU-T Standard.  You can find a copy
> on the XACML TC Home Page along with the other XACML 2.0 specifications:
> http://www.oasis-open.org/apps/org/workgroup/xacml/manage/edit_notes.php#XACML20.
>
>   There were some errors in the spec and schemas that are corrected in
> the "SAML 2.0 profile of XACML v2.0 Errata" available at
> http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip
>
> The XACML TC is updating the "SAML 2.0 profile of XACML" as part of its
> XACML 3.0 release.  The updates are intended to be backwards compatible,
> and consist primarily of some additions to support the XACML 3.0
> Administrative Policy specification, such as the ability for a PEP to
> send a policy to be evaluated along with the request context.  The draft
> of this update is available at
> http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip
>
>   I should be issuing a new draft before too long.
>
> Please let me know if you have any further questions.
>
> Regards,
> Anne
>
> David Chadwick wrote On 02/21/07 15:29,:
> > Hi Yuri
> >
> > firstly we have a lot of opportunity to feed our comments into Anne, the
> > author, and I am sure she will be very receptive to our helpful input.
> >
> > Concerning its purpose, it can be used in negotiation for the sender to
> > say what his requirement are from the other party, and what his
> > capabilities are for providing a service to the other party. However,
> > this is not really what we want from this service. We simply want the
> > ability to provide an XACML request context in a secure manner to a
> > remote PDP, and to obtain an XACML response context from the PDP. Which
> > is why the SAML profile (that is now deprecated) was actually ideal for
> > us (and why my first OGF spec was based on it). So my question to Anne
> > would be, Can we make sure this new spec has the same functionality (at
> > least) as the previous SAML spec.
> >
> > regards
> >
> > David
> >
> >
> > Yuri Demchenko wrote:
> >
> >> Hi David,
> >>
> >> I looked at the document your sent and was a bit confused to position
> >> it among other standards in use and our work.
> >>
> >> Before we can discuss some minor detail, I want to say that title is a
> >> bit misleading. They call it "Web Services Profile of XACML
> >> (WS-XACML)" but actually it is Web Services Policy (WSP)
> >> profile/extensions for (using) XACML in WSP style policy definition.
> >>
> >> They provided good use cases in Introduction, and correctly described
> >> XACML AuthZ token (section 2).
> >>
> >> For me, it is not clear their definition of XACMLAuthZAssertion
> >> (section 3). Is this an assertion or policy statement?
> >>
> >> "An XACMLAuthzAssertion represents an XACML authorization, access
> >> control, or privacy policy that applies to the target of the
> >> wsp:Policy instance in which it appears. The Assertion MAY be used by
> >> a Web Service to express or publish its authorization, access control,
> >> or privacy requirements or its capability of complying with
> >> requirements imposed by a client. The Assertion MAY be used by a Web
> >> Services client to express or publish its authorization, access
> >> control, or privacy requirements requirements or its capability of
> >> complying with requirements imposed by a Web Service. Two instances of
> >> such an Assertion MAY be matched to determine whether they are
> >> compatible, and, if so, which requirements and capabilities are
> >> compatible."
> >>
> >> Also I didn't find support for so much expected cryptographically
> >> valid/ensured attributes.
> >>
> >> So, what possibilities do we have to give our comments to the author?
> >>
> >> Yuri
> >>
> >>
> >> David Chadwick wrote:
> >>
> >>> is attached.
> >>>
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> --
> >>>   ogsa-authz-wg mailing list
> >>>   ogsa-authz-wg at ogf.org
> >>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
> >>
> >>
> >>
> >
>
> --
> Anne H. Anderson             Email: Anne.Anderson at Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
> --
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg
>