OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Comments on core-2.0-cd-01 - Assertion Issuee



Issue: Assertion type/schema does not describe the system entities an
       assertion was issued to.


 There should be an indentifier which reflects the party (or parties)
 the assertion was issued to. With X.509 end entity certificates the
 issuee is described by either the SubjectName or the
 SubjectAltName. However, SAML is much more flexible with respect to
 the role of the entity being described by the <Subject> element.

 We clearly want this latitude but at the same time I would expect
 there to be cases where the relying party may need additional
 information to distinguish between the issuee and the subject of the
 assertion.

 My recommendation would be to add a child element to <Assertion> which
 reflects the party (or parties) the authority issued the assertion
 to.

 Suggested schema follows:

  <complexType name="IssuedToType">
    <sequence>
      <element type="saml:NameIDType" maxOccurs="unbounded"/>
    </sequence>
  </complexType>

  <element name="IssuedTo" type="IssuedToType"/>

 I would suggest that the guidance regarding the Format attribute
 be analogous to the guidance given for the <Issuer> element.


The AssertionType schema would thus have the added (+) IssuedTo
element as shown below.

 <element name="Assertion" type="saml:AssertionType"/>
 <complexType name="AssertionType">
    <sequence>
      <element ref="saml:Issuer"/>
      <element ref="ds:Signature" minOccurs="0"/>
+     <element ref="saml:IssuedTo" minOccurs="0"/>
      <element ref="saml:Subject" minOccurs="0"/>
      <element ref="saml:Conditions" minOccurs="0"/>
      <element ref="saml:Advice" minOccurs="0"/>
      <choice minOccurs="0" maxOccurs="unbounded">
	<element ref="saml:Statement"/>
	<element ref="saml:AuthnStatement"/>
	<element ref="saml:AuthzDecisionStatement"/>
	<element ref="saml:AttributeStatement"/>
      </choice>
    </sequence>
    <attribute name="Version" type="string" use="required"/>
    <attribute name="ID" type="ID" use="required"/>
    <attribute name="IssueInstant" type="dateTime" use="required"/>
 </complexType>

 The semantic around the presence or absense of an <IssuedTo> element
 should be that if the element is absent from the assertion the
 intention is that the assertion was issued to the Subject, and/or the
 <IssudTo> party is "implied".

--
mailto:gfe@sun.com                                     http://tinyurl.com/yrbj6
"Baseball is 90% mental, the other half is physical."
 --  Yogi Berra


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]