[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] ISSUE (RFE): Add IssuerFormat to make assertionchaining possible
I've been asked by my colleague, Anne Anderson, to pass along this request for enhancement. I have paraphrased her request; hopefully I got the details right. Problem statement: Currently, Issuer is just an opaque string, and therefore it's not possible to make assertions about a subject and have the assertion be understood to apply to an issuer of the "same name." For example, an assertion that says "This subject is to be trusted to issue assertions" wouldn't be very helpful without some proprietary interpretation in the middle. Suggested solution: Add an IssuerFormat attribute everywhere the Issuer attribute appears, providing an application default of a new URI that means "string" but allowing for RFC 822 names, X.500 names, email addresses, etc. This would allow assertions about a subject, where the subject is demonstrably identical to some issuer. The actual strings used in NameIdentifier and Issuer might or might not be literally equal, depending on the variability allowed according to the format chosen (e.g., "SUN.COM" and "Sun.COM" would net out to the same according to RFC 822 rules). Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 883 5917 XML Web Services / Industry Initiatives eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC