[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Additional comments on core-02
Rob and Scott, I am not sure that I understand the existing lines 624-633: > If the <Subject> element contains both an identifier and one or more > subject confirmations, then the > SAML authority is asserting that if the SAML relying party performs > the specified > <SubjectConfirmation>, it can treat the entity presenting the > assertion to the relying party as the > entity that the SAML authority associates with the name identifier for > the purposes of processing the > assertion. > If the <Subject> element contains only one or more subject > confirmations (without an identifier), then the > SAML authority is asserting that if the SAML relying party performs > the specified > <SubjectConfirmation>, it can treat the entity presenting the > assertion to the relying party as the > entity that the SAML authority associates with the claims in the > assertion for the purposes of processing > the assertion. To test my understanding of these lines, I reworded them as follows. I may have changed the meaning in the process, but that was not my intent. > When the <Subject> element includes only one or more subject > confirmations, > the SAML authority is asserting that an entity that satisfies any of > the specified subject confirmations > can be treated as the entity that the authority associates with the > claims in the assertion. > > When the <Subject> element includes both a name identifier and one or > more subject confirmations, > the SAML authority is asserting that an entity that satisfies any of > the specified subject confirmations > can be treated as the entity that the authority associates with the > identifier. > > The SAML relying party can make these associatons for the purposes of > processing the assertion. If this is what was meant, does this imply that when there is a name identifier, the entity that satisfies the subject confirmation cannot be treated as the entity that the authority associates with the claims in the assertion? I think that the relying party should be allowed to make either association; when the name identifier is present. Ron Philpott, Robert wrote: > Here are some additional comments on core from our internal RSA > reviews. Higher-priority items are marked with ***: > > > > 1. *** Lines 613-622 re: subject confirmation: First, since this is > really dealing with how to treat confirmations, I recommend > moving it into the section on <SubjectConfirmation>. Next, > these are two very long run-on sentences and the phrasing is a > bit confusing. I suggest this alternate text: > > A <Subject> element can contain both an identifier and one or more > subject confirmations which a SAML relying party can verify when > processing an assertion. Once verified, the relying party can treat > the entity presenting the assertion as the entity that the SAML > authority associates with the name identifier. > > A <Subject> element can also contain one or more subject confirmations > without an identifier being present. In this case, once verified, the > relying party can treat the entity presenting the assertion as the > entity that the SAML authority associates with the claims in the > assertion. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]