OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Potential errata on AuthnContextDeclRef/ClassRef


Yep - it's always seemed common sense to me... include "class" URN's as ClassRef elements and put your "custom" declaration reference URI's in DeclRef.  But since we received an assertion from a new partner site (with a custom implementation) that put the URN in the DeclRef, I figured I'd check back with you guys before I definitively told them to ask the partner to change it. Just wanted to make sure there wasn't some obscure use case I had forgotten about. 

Thanks,

Rob Philpott | Senior Technologist | RSA, the Security Division of EMC
eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893


> -----Original Message-----
> From: security-services@lists.oasis-open.org [mailto:security-
> services@lists.oasis-open.org] On Behalf Of Cantor, Scott
> Sent: Friday, June 01, 2012 10:55 AM
> To: Philpott, Robert; security-services@lists.oasis-open.org
> Subject: Re: [security-services] Potential errata on
> AuthnContextDeclRef/ClassRef
> 
> On 6/1/12 12:48 AM, "robert.philpott@rsa.com"
> <robert.philpott@rsa.com>
> wrote:
> >
> >
> >I responded that I thought that was improper since I believed it was
> >intended that those URN¹s were to be used in conjunction with an
> ><AuthnContextClassRef>, not a
> >DeclRef. But when I went back and reread the relevant spec sections, it
> >doesn¹t appear to me that we specifically disallowed it.
> 
> Well, there has to be an element of common sense. If the bucket says Fish
> and you drop a Chicken in it...
> 
> So I think the issue is that people don't understand the difference
> between them. I suppose the better OO analogy is that a class ref is like
> a type and a decl ref is like an instance. Fish and "Sammy the Goldfish".
> 
> >Both the ClassRef and the DeclRef use the xs:anyURI
> >datatype, so obviously URN¹s would be allowed in either one.
> 
> Sure, but that data type also applies to NameID and Attribute Name
> Formats, entityIDs, etc. We don't specifically preclude those either.
> 
> >
> >My memory is a bit fuzzy, but I believe the intention of the committee
> >was as I described.
> >If so, then the suggestion is that we re-examine the wording in the
> >authn context and core specs and make it a bit clearer.
> 
> I think we probably need to explain what the difference is more
> effectively so that the common sense implication is obvious.
> 
> I will file an errata in Jira.
> 
> -- Scott
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: security-services-help@lists.oasis-
> open.org
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]