- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Fri, 26 Jan 2001 17:22:13 -0500
- To: services-comment@lists.oasis-open.org
- Cc: www-archive@w3.org
I apologize if this is the wrong list for comments on this document, but
I've been trying to keep up and comment on various XML security proposals
and they frequently don't have much metadata associated with them, like
where to send comments. <smile> For instance, I've already sent a few
comments on AuthXML [1] and XKMS [2] and I hope they went to the right
place. Which brings me to my second "meta-comment" <smile> I still don't
have a very good big-picture of the relationship between these things. (For
instance, S2ML makes reference of TAS, which mentions XKMS, so I assume
their somehow related.) I don't say this to criticize, this is cool though
nascent, so I say this by way of asking patience for any stupid questions or
assumptions on my part.
[1] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0002.html
[2] http://lists.w3.org/Archives/Public/www-archive/2000Dec/0004.html
So on that note and in trying to understand the S2ML specification I'm
having some difficulty with the concepts of Assertions and Entitlements,
Authentication and Authorization. For instance, X-TASS seems to describe an
assertion capability, but I don't understand the generic/abstract case. I
see it has some metadata about the assertion (Issuer, assertionUID,
ValidityDate) and how to express two types of specific assertions (1) access
to resources and (2) a services opinion of others assertions validity, but I
don't understand if its suppose to be something generic like SPKI tuples or
RDF statements?
Then S2ML itself speaks of NameAssertion, which is a statement about
"authentication type, subject name and authenticator." Entitlement is an
assertion too (so maybe it should be called EntitlementAssertion, or
assertion should have a pure definition, and these other things not use the
term?) about authorization. These things seem to have some things in common,
but I'm not sure what their differences are, same with
Authentication/Authorization (and Credentials...) Some of the differences
seems to be that they expect to occur in a query versus a response, which
seems odd. For instance, one could define it such that a query is a query,
and a response is a response, and one can then make all manner of
authorization, authentication responses and queries.
So, sorry if that's confused but I know I would understand better if I had
some data model behind it, and/or term ontology in which things were clearly
pulled apart:
assertion: w is x.
entitlement: an assertion of the form where w is of {a,b,c} and x is of {d}
authorization: an assertion of the form where w is of {g} and x is {s,t}
request: y is (w is x) bound to some protocol
response: z is (y is (w is x)) bound to some protocol.
I'm clearly no logic whiz, but I'm thinking differences between
syntax/semantic (how to make a statement), protocol (how to send statements
back and forth), and query (statements like a database query or XML query
where I want to get a statement returned (using the protocol) of a
particular type (particular XML or a truth value)).
Ok, with that confused mumbling out of the way, I only have two
straightforward comments:
Section 4.1, example:
The urn in the Audience element is missing it's NID [3].
Section 5.4.1.1
Why have a AzModel attribute with a namespace since any external content is
going to namespace qualified anyway (so it will be redundant and/or
confusing)?
[3] http://www.ietf.org/rfc/rfc2141.txt
__
Joseph Reagle Jr. http://www.w3.org/People/Reagle/
W3C Policy Analyst mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature
W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Friday, 26 January 2001 17:22:18 UTC