[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Proposed glossary definition of 'Assertion'
I like this definition as well - and believe that the 3'rd and 4'th cases are in fact within scope. - joe -----Original Message----- From: George_Robert_Blakley_III@tivoli.com [mailto:George_Robert_Blakley_III@tivoli.com] Sent: Friday, April 20, 2001 5:53 PM To: Irving Reid Cc: Jeff Hodges; security-services@lists.oasis-open.org Subject: Re: Proposed glossary definition of 'Assertion' This definition sounds pretty good to me. --bob Bob Blakley (blakley@tivoli.com, regardless of what the email headers may say!) Chief Scientist Enterprise Solutions Unit Tivoli Systems, Inc. (an IBM Company) Irving Reid <Irving.Reid@baltimore.com> on 04/20/2001 11:41:53 AM To: Jeff Hodges <jhodges@oblix.com>, security-services@lists.oasis-open.org cc: Subject: Proposed glossary definition of 'Assertion' Based on discussions with a few people at F2F2, I've put together a draft of what I think the SAML documents mean when they say 'assertion': Assertion: A datum that contains (a) The principal identity of the Asserting Party, (b) An identifier of the referent of the assertion, and (c) the claim being asserted. Assertions may also have Assertion Identifiers, and they may be signed by some authority (not necessarily the Asserting Party). Examples: 'cn=Colour Authority, o=company.com' asserts that 'cn=fred, ou=employees, o=company.com' is pink. 'cn=Authz Decision Point, o=companyA.com' asserts that 'cn=chris, ou=hangers-on, o=companyB.com' is allowed to read http://companyA.com/index.html at this instant And, though this might be out of scope, 'cn=Colour Authority, o=company.com' asserts that the SAML assertion with identifier {blob} is a pink assertion. 'cn=B2B Infrastructure, o=company.com' asserts that the document identified by URI http://company.com/B2B/purchase-orders/5551212, with SHA hash {blob}, was created by a representative of 'company.com' with authority for purchases up to 15 Canadian Dollars. The third and fourth examples are why the definition I propose says 'identifier of the referent' rather than something more specific like "principal identity of the subject". To those of you who say "Hey! That's an attribute certificate!" I say "Shh - if we don't say it too loud, the lurking dragons may not notice." - irving - ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: security-services-request@lists.oasis-open.org ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: security-services-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC