RE: composition of AssertionID (Issue: DS-4-04: URIs for Assertio nIDs)

[Phillip Hallam-Baker <pbaker@verisign.com>]

People can try to do what they like with a URI.

People made the same argument about the schema identifier URIs and the
censorship scheme URI in PICs. There was no difficulty in either case.

The reason for using a URI is that it allows the issuer to tie the
assertions in to the backend processing infrastructure of their choice. They
are not required to make the assertions locatable but MAY choose to do so.
They MAY choose to issue identifiers that have internal structure, they MAY
use random strings.

The back end processing is out of scope for SAML, the use cases and
requirements considered it out of scope. Therefore SAML should not attempt
to impose restrictions on the structure of the identifiers since these would
be arbitrary.

		Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@east.sun.com]
> Sent: Friday, June 08, 2001 2:22 PM
> To: security-services@lists.oasis-open.org
> Subject: RE: composition of AssertionID (Issue: DS-4-04: URIs for
> Assertio nIDs)
> 
> 
> At 02:09 PM 6/8/01 -0400, Hal Lockhart wrote:
> >I assume you mean retrieving an assertion by dereferencing the URI.
> 
> Yes.
> 
> >We certainly want to be able to request "the assertion with 
> the ID of X"
> >whether or not X is a URI. That's what started this discussion.
> 
> If X looks like a URI (particularly an http-scheme one), 
> people *will* try 
> to dereference it.  Cf. XML namespaces.  So if we intend it 
> *not* to be an 
> "address" as well as an "identifier," we should not use URIs for it.
> 
>          Eve
> --
> Eve Maler                                             +1 781 442 3190
> Sun Microsystems XML Technology Development  eve.maler @ east.sun.com
>

Phillip Hallam-Baker (E-mail).vcf