OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SECURITY-7 PE on persistent IDs


I considered my proposal after the discussion with Rob on the last call, and I think I'm still happy with what I proposed.

The current paragraph (with one previous errata) looks like this:

"Indicates that the content of the element is a persistent opaque identifier for a principal that is specific to an identity provider and a service provider or affiliation of service providers. Persistent name identifiers generated by identity providers MUST be constructed using pseudo-random values that have no discernible correspondence with the subject's actual identifier (for example, username). The intent is to create a non-public, pair-wise pseudonym to prevent the discovery of the subject's identity or activities. Persistent name identifier values MUST NOT exceed a length of 256 characters. A given value, once associated with a principal, MUST NOT be assigned to a different principal at any time in the future."

My suggested text is:

"Persistent name identifiers generated by identity providers MUST be constructed using values that have no discernible correspondence with the subject's actual identity (for example, username). They MAY be pseudo-random values, or generated in any other manner, provided there is no guessable relationship between the value and the subject's underlying identity, and that they are unique within the range of values generated by a given identity provider for a given service provider or affiliation of providers. The intent is to create a non-public, pair-wise pseudonym to prevent the discovery of the subject's identity or activities. Persistent name identifier values MUST NOT exceed a length of 256 characters. A given value, once associated with a principal, MUST NOT be assigned to a different principal at any time in the future."

I believe that the constraint  "they are unique within the range of values generated by a given identity provider for a given service provider or affiliation of providers" is sufficient to guarantee no compromise of any assumptions that should have been held by a relying party.

I specifically disagree that it was ever a requirement that if you changed the NameQualifier or SPNameQualifier that the value itself has any meaning in relationship to the same value with the original qualifiers. Which is to say that there was never any requirement for global uniqueness without those qualifiers. if there were, the qualifiers wouldn't have been needed, they would have been redundant.
 
So I don't see any deficiencies in my suggested text, and would like to see it adopted.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]