OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [security-services] Final text for NameIndentifier (includes fixesfrom March 5 Con-C all)


I'm sorry that I'm weighing in on this so late, but I have just a 
couple of comments on the text below:

Mishra, Prateek wrote:

> 2.4.2.2 Element <NameIdentifier>
> 
> The <NameIdentifier> element specifies a subject by a combination of 
> a name qualifier, a name and a format. It has the following attributes:
> 
> NameQualifier [Optional]
>          The security or administrative domain that qualifies the name 
> of the subject.
>           The NameQualifier attribute provides a means to federate names 
> from disparate user stores without collision.  
> 
> Format [Optional]
>            The syntax used to describe the name of the subject
> 
> Format values are URIs. The following standard values are defined as URI 
> fragment
> identifiers. The base for these identifiers is the SAML assertion 
> namespace URI.


I would rather see the entire URI references spelled out here, but 
even if this isn't done, I think the description should be like this:

"The format value MUST be a URI reference.  The following URI 
references are standardized by SAML, where only the fragment 
identifier portion is shown, assuming a base URI of the SAML assertion 
namespace name:..."


> #emailAddress:


(Remove the colons from the ends of these to avoid confusion)


>        Indicates that the value of the Name element MUST be an email 
> address.
>        The format of an email address is an "addr-spec" as defined in 
> RFC 2822 [RFC 2822].


Should be: "Indicates the content of the NameIdentifier element is an 
email address..."


>        An addr-spec has the form "local-part@domain". Note that an addr-spec
>        has no phrase (such as a common name) before it, has no comment (text
>        surrounded in parentheses) after it, and is not surrounded by "<" and
>        ">".
> 
> #X509SubjectName:
>       Indicates that the value of the Name element MUST take the 


"Indicates that the content of the NameIdentifier element is in the 
form specified..."


> form specified for the 
>       contents of <ds:X509SubjectName> element in [DSIG]. Implementors 
> should
>       note that [DSIG] specifies encoding rules for X.509 subject names
>       that differ from the rules given in RFC2253 [RFC2253].

> 
> #WindowsDomainQualifiedName:
> 
>       Indicates that the value of the Name element MUST be a Windows 


"Indicates that the content of the NameIdentifier element is a..."


> domain qualified
>       name.
> 
>       A Windows domain qualified user name is a string of the form 
> "DomainName\UserName".
> 
>       The domain name and "\" separator may be omitted.
> 
> The following schema fragment defines the <NameIdentifier> element and 
> its NameIdentifierType complex type:
> 
> <element name="NameIdentifier" type="saml:NameIdentifierType">
> <complexType name="NameIdentiferType">
>       <xsd:simpleContent>
>           <xsd:extension base="xsd:string">
>          <attribute name="NameQualifier" type="string" use="optional">
>          <attribute name="Format" type="anyURI" use="optional">
>      <xsd:simpleContent>
> </complexType>


The empty elements need /> at the end, not just >.


> The interpretation of the name qualifier and the name are left to 
> individual implementations,
> including issues of anonymity, pseudonymity, and the persistence of the 
> identifier
> with respect to the asserting and relying parties.


This seems odd to say now, since we're specifying particular formats. 
  Perhaps we should remove this disclaimer in the case of the three 
standardized ones?

	Eve

-- 
Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC