[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Days late and dollars short,comments on "entity" terminology
Only editorial geeks should read this one. :-) Since this snippet of wording focuses on authorization decision assertions, whose functionality we've frozen, it may not even matter in the big scheme of things. But just as an intellectual exercise... Scott Cantor wrote: >>SAML authority: >>core-02g-diff >>***2.7.4.3, 1448-1449: would be better as asserting party, as it >>is paired with relying party > > > Agree. Actually, in trying to implement this one, I'm not satisfied with the change. The original is: "Providing an assertion as evidence MAY affect the reliance agreement between the SAML relying party and the SAML authority making the authorization decision. For example, in the case that the SAML relying party presented an assertion to the SAML authority in a request, the SAML authority MAY use that assertion as evidence in making its authorization decision without endorsing the <Evidence> element’s assertion as valid either to the relying party or any other third party." Clearly a "reliance agreement" involves a relying party, so that mention is fair. But the authoritativeness of the SAML authority comes in fairly too. And then we get a mention of an assertion that came in the request, legitimizing requester/responder language. So on balance I'd keep the mentions of relying party, SAML authority, and requester as they are even though it seems like a hodge-podge. However, I have to admit that I'm not sure in what sense the second sentence is actually an example of affecting the "reliance agreement" (a term that appears nowhere else). If what is meant is that the relying party should not rely on assertions provided as evidence even if they came from the relying party in the original request, the following wording would be better: "No endorsement of validity by the SAML authority should [note lowercase] be inferred for any assertions or references to assertions provided as evidence in an authorization decision. For example, an assertion that was provided in an authorization decision request might be duplicated in the decision as evidence, without any intervening validity-checking process." I don't believe this suggested wording changes any conformance parameters because the original MAYs were not exactly on target for their purpose. If there's an outpouring of support for this change, I can make it. Otherwise, never mind! Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]