[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups - sstc-saml2-profiles-x509-draft-11.odt uploaded
> - It is not clear what is meant by "deployment profile." My rough definition is any profile that simply takes an existing SAML profile and constrains the optional behavior and choices in ways that really don't change the original intent. To me, if I can configure existing software that implements a profile to meet your profile, than what you have is not a new profile in the broad sense, it's just knob turning. The benefit of packaging it all up is clear, I'm not arguing against that, but it's not quite the same thing as defining wholly new profiles. > I agree that > the subprofiles "X.509 SAML Subject Profile" and "SAML Assertion > Profile for X.509 Subjects" are not "profiles" as the word is often > used, but the "SAML Attribute Query Profile for X.509 Subjects" and > the "SAML Attribute Self-Query Profile for X.509 Subjects" are indeed > profiles associated with specific use cases. Not to me. I think they're standard queries. Especially the self-query. That's nothing but a presumption that leads to policy like "I can ask for anything about myself". That's never been in scope, but it's always been legal, and in 2.0 it's even directly expressible inside the request (via Issuer == Subject). How is that different from "SAML Attribute Query-By-Partner for X.509 Subjects"? The only difference is who's asking. I think we have to draw a line somewhere when things start moving beyond the scope of the standard. There's a name for the complete set of everything you're doing at runtime, but I think SAML profile is a little less than that. So, "deployment profile" is my name for that sort of complete document that lays out how a given application in some community is doing things. > Moreover, the use case > associated with the "SAML Attribute Query Profile for X.509 Subjects" > is precisely the same use case that motivates the "SAML Attribute > Sharing Profile for X.509 Authentication-Based Systems", so if one is > not a profile, neither is the other. Which I've argued repeatedly, so I don't think I'm being inconsistent. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]