[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: draft-sstc-core-10 sec 1.4.4.2 Element <Evidence>
All, Michah's questions were usefull in leading me to the following description of the <Evidence> element. Note that the semantics of <Evidence> are NOT those of <Advice> since the inclusion of evidence DOES affect the reliance model and cannot be ignored. Another way the same issue could be addressed is with Marlena's ValidityDependsUpon condition that we nixed a while back. However that does not capture the precise semantics either since in this case it is not the Validity of the assertion but the Truthfulness of the assertion that is the issue. Phill (who has one sub section left to write!) The <Evidence> element specifies a set of assertions that the issuer relied upon in issuing the assertion. The statement of an assertion as evidence MAY affect the reliance agreement between the client and service. For example in the case that the client presented an assertion to the service in a request the service MAY use that assertion as evidence in making its response without endorsing the assertion as valid either to the client or any third party. The following schema defines the <Evidence> element: <element name="Evidence" type="saml:AssertionSpecifierType"/> Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Lerner, Michah, ALSVC [mailto:michah@att.com] > Sent: Thursday, July 26, 2001 12:21 AM > To: oasis sstc > Subject: draft-sstc-core-10 sec 1.4.4.2 Element <Evidence> > > > As with any new element, there are bound to be questions about the > Element <Evidence> defined by section 1.4.4.2 of draft-sstc-core-10 > and core-discussion-00 sections 3.1.1, 4.1.14, and 4.2.3. Here are > several that may benefit from clarification and discussion. > > 1) Is saml:evidence different from saml:advice? Already > xtass:evidence > shares identical wording with saml:advice, including the missing \) > 2) Since an AuthorizationDecisionAssertion is "made subject to the > assertions in the Evidence element" > a) Does the AuthorizationDecisionAssertion certify the textually > enclosed saml:evidence as valid "jointly and severally", as > defined by the Element <Claims>? If so, what is the purpose > of carrying the evidence, and is the evidence unique or > complete? > b) What, if any, are the consistency requirements between multiple > saml:evidence elements within an AuthorizationDecisionAssertion? > 3) Is saml:evidence local to the saml:AuthenticationDecisionAssertion > that textually encloses it? > 4) What properties describe the saml:evidence available in a > SAMLResponse > to a SAML protocol AuthorizationQuery, and how does this > depend on the > evidence provided in the query? > > //Michah > > > > > > > > ------------------------------------------------------------------ > To unsubscribe from this elist send a message with the single word > "unsubscribe" in the body to: > security-services-request@lists.oasis-open.org > <<Phillip Hallam-Baker (E-mail).vcf>>
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC