[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Proposed text for <NameIdentifier>
Looks like there's a subtle, and of course annoying, difference: Merlin wrote: > RFC2253 (IIRC) UTF-8 encodes the name and then replaces > high-bit-set characters with %XY, rendering international > characters somewhat human-unintelligible. XMLDSIG > X509SubjectName operates the same as RFC2253 but does > not do the UTF-8 step, so international characters > remain unchanged. I *think* I recall that dsig also doesn't mandate "squeezing" leading/trailing whitespace when comparing these values, which would also be a difference. E.g. if you compare acording to 2253 I believe that "C=IE" is not the same as "C=ie" (the latter being illegal;-), but that "CN=fred or bob" is the same as "CN = FreD or BOB". So, there're two options (at least?): a) Declare that saml:#X500Name uses/is-the-same-as dsig:X509SubjectName, include the relevant references and leave sorting out quoting, escaping etc. to the W3C/IETF dsig group. That way the X500/X509 name handling is the same in your dsig and saml code. b) Be subtly different from dsig by using rfc2253's encoding and comparison rules. I think that either of them can work, but a) sounds better & simpler to me, though possibly at the expense of putting up with a bias towards good handling of the name forms that get found in X.509 (dunno if that'd be much of an issue). Regards, Stephen. -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC