[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] ISSUE: core-27: RespondWith specified queriesreturn AN assertion
Jeff,
The core issue here is that the use of the word "an" in
the discussion of <RespondWidth>. This
is a straightforward error (IMHO). Removal of the word
"an" and use of the plural assertions is all that is required
here.
3.2.1.1
#SingleStatement
Assertions carrying exactly one statement
#MultipleStatement
Assertions carrying at least one statement
ETC...
There is no relationship between the type of a query and
values of the RespondWith element. If you have a AuthN query
that includes a <RespondWith> element with value
"AuthorizationDecisionStatement" you probably wont get anything
back. Nonsensical constraints can certainly be expressed (e.g., combination
of SingleStatement and MultipleStatement) and are
basically the requestors problem.
If you query for 5 assertions using AssertionID/assertionArtifact
and the responder can only find 4, well, then, the constraints
expressed by the query cannot be met by responder. It should return no
assertions but with status code set to SUCCESS.
- prateek
>>> #SingleStatement.
>>
>>The above is only partially correct, it seems, because there
>>can be multiple
>><RespondWith> elements in a request based on
>><RequestAbstractType> (Section
>>3.2.1, line 935).
>>
>>The relationship between <RespondWith> element(s) and queries
>>in a <Request>
>>appears to be undefined (or maybe I'm not finding it).
>>
>>Since <SubjectQuery>, <AuthenticationQuery>, <AttributeQuery>, and
>><AuthorizationDecisionQuery> each query about a single
>>Subject, what does it
>>mean to have more than one <RespondWith> element attached to
>>a <Request>
>>containing one of those queries?
>>
>>And since each <RespondWith> is semantically defined as
>>meaning "an assertion",
>>does it mean that if I make an <AuthenticationQuery> about
>>some Subject, and
>>include more than one <RespondWith> elements, that the
>>responder should "AND"
>>the values of the <RespondWith> elements when concocting its response?
>>
>>What if such an ANDing doesn't necessarily make sense, for
>>example if I make an
>><AuthenticationQuery> about some Subject and include two <RespondWith>
>>elements, one whose value is #SingleStatement and the other
>>whose value is
>>#AuthorizationDecisionStatement?
>>
>>Other pathological cases are easy to concoct, including ones
>>that sorta might
>>make sense (eg <AuthenticationQuery> w/ #MultipleStatement and
>>#AuthenticationStatement and #AttributeStatement specified in multiple
>><RespondWith> elements).
>>
>>
>>Also, <AssertionIDReference> and <AssertionArtifact> queries
>>may explicitly
>>query based on multiple values of AssertionIDReferences or
>>AssertionArtifacts.
>>If <RespondWith> is present, must the number of <RespondWith>
>>instances equal
>>the number of instances of <AssertionIDReference> or
>><AssertionArtifact>
>>elements? What if they differ?
>>
>>> The "an assertion" language in Section 3.2.1.1 of core-27
>>needs to be cleaned
>>> up to bring it in line with section 3.4.2.
>>
>>Actually, the "an assertion" language may be OK and it is
>>more other aspects,
>>as described above, that need to be clarified.
>>
>>JeffH
>>
>>----------------------------------------------------------------
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>
>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC