[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] The multiple subject issue
Phill, This is much better now. Coupla clarifying questions though related to SubjectConfirmation: 1) If both NameIdentifier and SubjectConfirmation are present does that mean that a relying party (for the containing assertion) MUST/SHOULD/MAY check the s-c value as part of assertion validation? core-25 seems to imply this is a MAY, but I'd rather it be explicit (I don't mind which is chosen really). 2) One 1)'s answered, then same question for the case where there's only a SubectConfirmation. I guess a MUST might be more easily argued in this case? 3) Let s1 = <Subject><n-i=fred/></Subject> and s2 = <Subject><n-i=fred/><s-c=fred-cert/></Subject> (i.e. s2 is s1 with the addition of a SubjectConfirmation). Now, when do I consider s1=s2 and when not? E.g. if I send you an AuthenticationQuery containing s1 and you send me back an assertion containing s2, is that ok? In this case I've no suggested answer, since I don't believe I understand the consequences well enough - maybe someone else does? Finally, given that these questions arise, I guess I should ask whether its really a good idea to couple the s-c stuff with the Subject instead of including it elsewhere in the assertion or protocol constructs? Stephen. "Hallam-Baker, Phillip" wrote: > > To try to clarify this issue, here is the schema as ammended during the con > call 2 weeks ago: > > <element name="SubjectStatement" > type="saml:SubjectStatementAbstractType"/> > <complexType name="SubjectStatementAbstractType" abstract="true"> > <complexContent> > <extension base="saml:StatementAbstractType"> > <sequence> > <element ref="saml:Subject"/> > </sequence> > </extension> > </complexContent> > </complexType> > > <element name="Subject" type="saml:SubjectType"/> > <complexType name="SubjectType"> > <choice> > <sequence> > <element ref="saml:NameIdentifier"/> > <element ref="saml:SubjectConfirmation" > minOccurs="0"/> > </sequence> > <element ref="saml:SubjectConfirmation"/> > </choice> > </complexType> > > A statement can have exactly ONE subject that may be desribed by a Name > Identifier alone, OR a Name Identifier and subject confirmation OR a subject > confirmation alone. > > In the case of a name alone the subject confirmation is presumably out of > scope, quite likely in an attribute statement. > > In the case of subject confirmation alone the name may well be irrelevant. > > Phill > > Phillip Hallam-Baker FBCS C.Eng. > Principal Scientist > VeriSign Inc. > pbaker@verisign.com > 781 245 6996 x227 > > > -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC