OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Proposed glossary definition of 'Assertion'


I like this definition as well - and believe that the 3'rd and 4'th cases
are in fact within scope.

- joe

-----Original Message-----
From: George_Robert_Blakley_III@tivoli.com
[mailto:George_Robert_Blakley_III@tivoli.com]
Sent: Friday, April 20, 2001 5:53 PM
To: Irving Reid
Cc: Jeff Hodges; security-services@lists.oasis-open.org
Subject: Re: Proposed glossary definition of 'Assertion'


This definition sounds pretty good to me.

--bob

Bob Blakley (blakley@tivoli.com, regardless of what the email headers may
say!)
Chief Scientist
Enterprise Solutions Unit
Tivoli Systems, Inc. (an IBM Company)


Irving Reid <Irving.Reid@baltimore.com> on 04/20/2001 11:41:53 AM

To:   Jeff Hodges <jhodges@oblix.com>,
      security-services@lists.oasis-open.org
cc:
Subject:  Proposed glossary definition of 'Assertion'



Based on discussions with a few people at F2F2, I've put together a draft
of
what I think the SAML documents mean when they say 'assertion':

Assertion: A datum that contains (a) The principal identity of the
Asserting
Party, (b) An identifier of the referent of the assertion, and (c) the
claim
being asserted. Assertions may also have Assertion Identifiers, and they
may
be signed by some authority (not necessarily the Asserting Party).

Examples:

'cn=Colour Authority, o=company.com' asserts that 'cn=fred, ou=employees,
o=company.com' is pink.

'cn=Authz Decision Point, o=companyA.com' asserts that 'cn=chris,
ou=hangers-on, o=companyB.com' is allowed to read
http://companyA.com/index.html at this instant

And, though this might be out of scope,

'cn=Colour Authority, o=company.com' asserts that the SAML assertion with
identifier {blob} is a pink assertion.

'cn=B2B Infrastructure, o=company.com' asserts that the document identified
by URI http://company.com/B2B/purchase-orders/5551212, with SHA hash
{blob},
was created by a representative of 'company.com' with authority for
purchases up to 15 Canadian Dollars.

The third and fourth examples are why the definition I propose says
'identifier of the referent' rather than something more specific like
"principal identity of the subject".


To those of you who say "Hey! That's an attribute certificate!" I say "Shh
-
if we don't say it too loud, the lurking dragons may not notice."

 - irving -

------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to:
security-services-request@lists.oasis-open.org



------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: security-services-request@lists.oasis-open.org


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC