OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: composition of AssertionID (Issue: DS-4-04: URIs for Assertio nIDs)

At 09:54 AM 6/8/01 -0400, Hal Lockhart wrote:
>Jeff Hodges wrote,
> > The research I did indicates that it is questionable whether
> > it is a good idea
> > to simply use a URL-style URI as shown above and consider the
> > "problem solved".
>
>Yes, but it seems to me that 2/3 of these problems go away if you assume
>global (intergalactic) uniqueness. I further assert that half of the
>remainder go away if you write strict rules for forming and comparing them
>for identity.
>
>This IMO leaves a managable remainder to deal with.

Sorry to be slow, I'm not sure I understand "2/3 of the problems go away if 
you assume global (intergalactic) uniqueness."  Are you saying that a 
simplifying assumption can be made that all such URIs used as assertion IDs 
*are* unique, without testing?  If we do have a notion of comparing IDs for 
identity, then URIs are notoriously difficult on this point unless we go 
with character-for-character equality (which is a much stricter standard, 
at least for http-scheme URIs, than is usually applied to mean "identity").

>I think we have already have agreed that various things in SAML need to be
>administratively configured, based on out of band agreement, so I don't see
>a problem with doing the same for the location of authorities.
>
>I am equally comfortable with an 1) issuer dns name and a unique integer or
>2) an UUID, but such things are unfashionable. (As someone who was at
>various times an expert on DCE and SET, I understand the need to follow
>technology fashions or be left talking to yourself. ;-)

Hey, I'm willing to consider ideas that seem unfashionable! :-)  It has 
been suggested that XML and URIs go together like PB&J, but if we're not 
anticipating *retrieving* an assertion by means of its unique URI, then I 
believe it's probably better to use something else.

BTW, Jeff asked about controlling which types of URIs are allowed: You can 
restrict the XML Schema datatype called "anyURI" by adding a regular 
expression facet that cuts down the set of valid URI strings.  But there's 
no URI-aware method for cutting out particular schemes or anything like that.

         Eve
--
Eve Maler                                             +1 781 442 3190
Sun Microsystems XML Technology Development  eve.maler @ east.sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC