[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Proposed glossary definition of 'Assertion'
Based on discussions with a few people at F2F2, I've put together a draft of
what I think the SAML documents mean when they say 'assertion':
Assertion: A datum that contains (a) The principal identity of the Asserting
Party, (b) An identifier of the referent of the assertion, and (c) the claim
being asserted. Assertions may also have Assertion Identifiers, and they may
be signed by some authority (not necessarily the Asserting Party).
Examples:
'cn=Colour Authority, o=company.com' asserts that 'cn=fred, ou=employees,
o=company.com' is pink.
'cn=Authz Decision Point, o=companyA.com' asserts that 'cn=chris,
ou=hangers-on, o=companyB.com' is allowed to read
http://companyA.com/index.html at this instant
And, though this might be out of scope,
'cn=Colour Authority, o=company.com' asserts that the SAML assertion with
identifier {blob} is a pink assertion.
'cn=B2B Infrastructure, o=company.com' asserts that the document identified
by URI http://company.com/B2B/purchase-orders/5551212, with SHA hash {blob},
was created by a representative of 'company.com' with authority for
purchases up to 15 Canadian Dollars.
The third and fourth examples are why the definition I propose says
'identifier of the referent' rather than something more specific like
"principal identity of the subject".
To those of you who say "Hey! That's an attribute certificate!" I say "Shh -
if we don't say it too loud, the lurking dragons may not notice."
- irving -
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC