SSO v2.0 Proposed Recommendation: Request for Comments
Public discussion page for the IVOA SSO 2.0 Proposed Recommendation.
The latest version of the SSO Specification can be found at:
Comments from the IVOA Community and TCG members during RFC period: 2015-11-01 - 2015-12-13
Comment by Pierre Fernique
- Are there authenticated services already described in the VO registry ? and if yes, is it already in use ? Can we considered it as a reference implementation ? And in fact, do we have reference implementations ?
- Author list and editor lists seems to not follow the current usage of IVOA. It is a little bit strange to have all the Grid and Web service group as authors, and 3 editors. Maybe it opens the question concerning the method to keep knowledge of successive editors.
- I wonder if all complementary sections (short introduction to each authentication method) are really relevant in an IVOA standard. I would suggest to put all normative points in a dedicated section and move all explanation of existing authoritative methods in an general non normative section, or as an appendix.
- The structuration of section 3 could be modified for avoiding the section 3.1 alone item.
- Appendix A must have a short introduction to explain what is this long XML schema. The title "VOResource SecurityMethod extract" is definitively not clear.
- must, may, shall... should be in uppercase in normative sections.
Typos:
- p1: Andreé => André
- p4: user?s => users
- p4: service?s => service
- p4: Is => If a service
- p6: as having a em Web => ?
- p7: table 1 label strangely folded
--
PierreFernique - 2015-11-01
I don't have a good enough understanding of security to assess the substance of this document, but I have some editorial comments.
- Sec 1: "... to another service This ..." -> "... to another service. This ..."
- Sec 2.1: "... this element distinguished ..." -> "... this element distinguishes ..."
- Sec 2.2: There are problems with the XML snippets included here. The
<interface>
start tag in both cases assigns an attribute with the name xmlns:vs:
- I'm pretty sure the trailing colon there should be removed. Also, the attribute assignments are quoted with repeated single quotes e.g. xsi:type=''vs:ParamHTTP''
- that looks a bit wrong in the PDF but is definitely wrong in the HTML. Quote using single quotes (or single-character double quotes) instead.
- Sec 2.2: "The order identify the priority ..." -> "The order identifies the priority ..."
- Sec 2.2: "... SAML, than cookies ..." -> "... SAML, then cookies ..."
- Sec 3.1: "... combination of the them" -> "... combination of them." ?
- Table 1: This table lists IVOA Identifiers defined as securityMethod values. These identifiers are in some cases referenced in the mechanism-specific subsections later in the text, but not others, e.g. sec 7.1 says: "Interfaces using this mechanism shall be be registered with the security method
ivo://ivoa.net/sso#tls-with-password
." , but there is no corresponding note in the subsections describing cookies, OAuth, SAML or OpenID. Similar notes should be added to the relevant subsections for consistency and clarity.
- Table 1: The HTTP Basic Authentication securityMethod value in this table is missing a colon (
http//www..."
).
- Table 1: Where does the HTTP Basic Auth URI come from? There's no requirement that these URIs are dereferenceable, but using the form
http://www.w3.org/Protocols/HTTP/1.0/spec/html#BasicAA
which has a different form from the others, looks like it would make sense if that URL was dereferenceable, but it's not. There might be a good answer to this, but I'm interested to know what it is.
- Sec 9.2: "IdP" and "IDP" are both used, are these the same thing?
- Sec 9.2: "SAML2.0 allow also to service discovery mechanisms" - I don't understand what this means.
- Appendix A: Like Pierre, I don't understand what this XML is doing here. Also, the top-level
xs:schema
element contains the attribute version="1.02"
- what's that the version of?
--
MarkTaylor - 2015-11-12