[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Thoughts wrt draft-sstc-saml-issues-status-01
> > 144 ISSUE:[DS-6-05: AttributeScope] > > status=CLOSED > > "AttributeNamespace" satisfies this? No, scoping of attributes is about the context of the value (eg. my affiliation is faculty, but *where* am I a faculty member?) rather than a context for the attribute's name. This is a particular issue with directory attributes in which the scope is often implicitly "the organization whose directory this is". The SAML assumption is that it's carried in Subject SecurityDomain or otherwise in the value in some attribute-specific way. I think this is a subtle issue that people will discover for themselves, but Shib considers this issue closed. I followed up because I think it's really critical that anyone that doesn't understand the purpose of XML namespaces doesn't get confused and think that it's appropriate to place a "domain identifier" of some sort in the AttributeNamespace slot. That slot is to identify the XML namespace in which the attribute's Name has been placed. For example, as Stephen Farrell has been arguing, there may well be a namespace defined for inetOrgPerson attributes. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC