OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] A3.1 Meta-data Use-Cases / A3.2 Meta-data exchange Use-Case

[Prateek]
I guess your point here is that this requirement does not suggest that a single element should capture both parts of the relationship. It is enough if given a (IdP, SP) tuple we can identify the SP meta-data and the IdP meta-data, each in its own separate document. I guess that works for me.
[Prateek]
 
 
My thinking is that an IdP may want to provide metadata that is independent of a particular SP (and vice versa). Thus, any "pairing" of IdP and SP (insofar as metadata is concerned) is mostly artificial. At the risk of over-simplifying this, perhaps the single metadata document is nothing more than a concatenation of the two individual documents wrapped in a <EntityDescriptors> element (or some such).
 
Jahan
 

 

------
Jahan Moreh
Chief Security Architect
310.286.3070

-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Friday, November 07, 2003 11:56 AM
To: 'jmoreh@sigaba.com'; Mishra, Prateek
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] A3.1 Meta-data Use-Cases / A3.2 Meta-data exchange Use-Case

 

 

[Jahan]

Prateek -

Can you please help clarify the following for me:

 

>>>"Given an (IdP, SP) pair, it should be possible to extract the relevant meta-data as a single element from the representation

 

Are you suggesting it should be possible to express metadata for IDP and SP in one document? If so, are there any semantics built into the notion of "IdP,SP pair"? In other words, if an IdP is paired with an SP (and vice versa) what is the use of the IdP to know about its own metadata (and. conversly, what is the use of the SP to know about its own metadata).

 [/Jahan]

 

My thoughts on why an IdP needs to have access to its own meta-data (and conversely) were primarily around debugging/tracking/policy analysis. If an (IdP, SP) have a federation relationship --- for example, that they support account linking using the artifact profile --- it should be possible to put together a single document that captures their relationship. If there is a problem, we can then check to see if both sides have the same document.

 

I guess your point here is that this requirement does not suggest that a single element should capture both parts of the relationship. It is enough if given a (IdP, SP) tuple we can identify the SP meta-data and the IdP meta-data, each in its own separate document. I guess that works for me.

 

-       Prateek

-        

 

 

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]