W3C home > Mailing lists > Public > www-archive@w3.org > January 2001

Comments on S2ML .8a

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 26 Jan 2001 17:22:13 -0500
Message-Id: <>
To: services-comment@lists.oasis-open.org
Cc: www-archive@w3.org

I apologize if this is the wrong list for comments on this document, but 
I've been trying to keep up and comment on various XML  security proposals 
and they frequently don't have much metadata associated with them, like 
where to send comments. <smile> For instance, I've already sent a few 
comments on AuthXML [1] and XKMS [2] and I hope they went to the right 
place. Which brings me to my second "meta-comment" <smile> I still don't 
have a very good big-picture of the relationship between these things. (For 
instance, S2ML makes reference of TAS, which mentions XKMS, so I assume 
their somehow related.) I don't say this to criticize, this is cool though 
nascent, so I say this by way of asking patience for any stupid questions or 
assumptions on my part.

[1] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0002.html
[2] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0004.html

So on that note and in trying to understand the S2ML specification I'm 
having some difficulty with the concepts of Assertions and Entitlements, 
Authentication and Authorization. For instance, X-TASS seems to describe an 
assertion capability, but I don't understand the generic/abstract case. I 
see it has some metadata about the assertion (Issuer, assertionUID, 
ValidityDate) and how to express two types of specific assertions (1) access 
to resources and (2) a services opinion of others assertions validity, but I 
don't understand if its suppose to be something generic like SPKI tuples or 
RDF statements?

Then S2ML itself speaks of NameAssertion, which is a statement about 
"authentication type, subject name and authenticator." Entitlement is an 
assertion too (so maybe it should be called EntitlementAssertion, or 
assertion should have a pure definition, and these other things not use the 
term?) about authorization. These things seem to have some things in common, 
but I'm not sure what their differences are, same with 
Authentication/Authorization (and Credentials...) Some of the differences 
seems to be that they expect to occur in a query versus a response, which 
seems odd. For instance, one could define it such that a query is a query, 
and a response is a response, and one can then make all manner of 
authorization, authentication responses and queries.

So, sorry if that's confused but I know I would understand better if I had 
some data model behind it, and/or term ontology in which things were clearly 
pulled apart:
assertion: w is x.
entitlement: an assertion of the form where w is of {a,b,c} and x is of {d}
authorization: an assertion of the form where w is of {g} and x is {s,t}
request: y is (w is x) bound to some protocol
response: z is (y is (w is x)) bound to some protocol.

I'm clearly no logic whiz, but I'm thinking differences between 
syntax/semantic (how to make a statement), protocol (how to send statements 
back and forth), and query (statements like a database query or XML query 
where I want to get a statement returned (using the protocol) of a 
particular type (particular XML or a truth value)).

Ok, with that confused mumbling out of the way, I only have two 
straightforward comments:

Section 4.1, example:
The urn in the Audience element is missing it's NID [3].

Why have a AzModel attribute with a namespace since any external content is 
going to namespace qualified anyway (so it will be redundant and/or 

[3] http://www.ietf.org/rfc/rfc2141.txt

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Friday, 26 January 2001 17:22:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:42:00 UTC