[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Potential errata on AuthnContextDeclRef/ClassRef
On 6/1/12 12:48 AM, "robert.philpott@rsa.com" <robert.philpott@rsa.com> wrote: > > >I responded that I thought that was improper since I believed it was >intended that those URN¹s were to be used in conjunction with an ><AuthnContextClassRef>, not a >DeclRef. But when I went back and reread the relevant spec sections, it >doesn¹t appear to me that we specifically disallowed it. Well, there has to be an element of common sense. If the bucket says Fish and you drop a Chicken in it... So I think the issue is that people don't understand the difference between them. I suppose the better OO analogy is that a class ref is like a type and a decl ref is like an instance. Fish and "Sammy the Goldfish". >Both the ClassRef and the DeclRef use the xs:anyURI >datatype, so obviously URN¹s would be allowed in either one. Sure, but that data type also applies to NameID and Attribute Name Formats, entityIDs, etc. We don't specifically preclude those either. > >My memory is a bit fuzzy, but I believe the intention of the committee >was as I described. >If so, then the suggestion is that we re-examine the wording in the >authn context and core specs and make it a bit clearer. I think we probably need to explain what the difference is more effectively so that the common sense implication is obvious. I will file an errata in Jira. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]