[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Potential errata on AuthnContextDeclRef/ClassRef
Yep - it's always seemed common sense to me... include "class" URN's as ClassRef elements and put your "custom" declaration reference URI's in DeclRef. But since we received an assertion from a new partner site (with a custom implementation) that put the URN in the DeclRef, I figured I'd check back with you guys before I definitively told them to ask the partner to change it. Just wanted to make sure there wasn't some obscure use case I had forgotten about. Thanks, Rob Philpott | Senior Technologist | RSA, the Security Division of EMC eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893 > -----Original Message----- > From: security-services@lists.oasis-open.org [mailto:security- > services@lists.oasis-open.org] On Behalf Of Cantor, Scott > Sent: Friday, June 01, 2012 10:55 AM > To: Philpott, Robert; security-services@lists.oasis-open.org > Subject: Re: [security-services] Potential errata on > AuthnContextDeclRef/ClassRef > > On 6/1/12 12:48 AM, "robert.philpott@rsa.com" > <robert.philpott@rsa.com> > wrote: > > > > > >I responded that I thought that was improper since I believed it was > >intended that those URN¹s were to be used in conjunction with an > ><AuthnContextClassRef>, not a > >DeclRef. But when I went back and reread the relevant spec sections, it > >doesn¹t appear to me that we specifically disallowed it. > > Well, there has to be an element of common sense. If the bucket says Fish > and you drop a Chicken in it... > > So I think the issue is that people don't understand the difference > between them. I suppose the better OO analogy is that a class ref is like > a type and a decl ref is like an instance. Fish and "Sammy the Goldfish". > > >Both the ClassRef and the DeclRef use the xs:anyURI > >datatype, so obviously URN¹s would be allowed in either one. > > Sure, but that data type also applies to NameID and Attribute Name > Formats, entityIDs, etc. We don't specifically preclude those either. > > > > >My memory is a bit fuzzy, but I believe the intention of the committee > >was as I described. > >If so, then the suggestion is that we re-examine the wording in the > >authn context and core specs and make it a bit clearer. > > I think we probably need to explain what the difference is more > effectively so that the common sense implication is obvious. > > I will file an errata in Jira. > > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: security-services-help@lists.oasis- > open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]