OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [security-services] ISSUE (RFE): Add IssuerFormat to make assertionchaining possible


I've been asked by my colleague, Anne Anderson, to pass along this 
request for enhancement.  I have paraphrased her request; hopefully I 
got the details right.

Problem statement: Currently, Issuer is just an opaque string, and 
therefore it's not possible to make assertions about a subject and have 
the assertion be understood to apply to an issuer of the "same name." 
For example, an assertion that says "This subject is to be trusted to 
issue assertions" wouldn't be very helpful without some proprietary 
interpretation in the middle.

Suggested solution: Add an IssuerFormat attribute everywhere the Issuer 
attribute appears, providing an application default of a new URI that 
means "string" but allowing for RFC 822 names, X.500 names, email 
addresses, etc.  This would allow assertions about a subject, where the 
subject is demonstrably identical to some issuer.  The actual strings 
used in NameIdentifier and Issuer might or might not be literally equal, 
depending on the variability allowed according to the format chosen 
(e.g., "SUN.COM" and "Sun.COM" would net out to the same according to 
RFC 822 rules).

	Eve
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 883 5917
XML Web Services / Industry Initiatives      eve.maler @ sun.com



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC