Re: [security-services] Comments on Issuer Format proposal(28d-draft-solution-0.1.pdf)

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

> In any case, I'd like to see a clear use case where knowing either the
> format or the classification makes a real difference to a SAML or XACML
> deployment.

I think the main argument for this proposal, other than consistency with
XACML, is consistency between Subject and Issuer.  I believe I argued for
this myself, a long time ago.  The motivation for consistency is, as the
proposal says, that sometimes Issuers will be Subjects.  For example, an
assertion might state that a Subject has attributes that represent
capabilities of that Subject acting as an Issuer.  The suggestion that we
treat configuration data (aka metadata) exchange as attribute exhange
would make this common, it seems to me.  It seems to me that all the
considerations that led us to a 3-part Subject nameidentifier
(NameQualifier, Format, Name string itself) apply to Issuers as well.

I suppose an argument for Issuer to be simply a string is that it is
likely to be matched against a name supplied by a signing credential such
as an X.509 cert, which is a string or which can be converted to a string
for matching purposes.

Perhaps the use case of making a Statement whose Subject is the Issuer of
a different Assertion needs to be written down to clarify the
requirements.

 - RL "Bob"