[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Change request to SAML...
On 3 September, Carlisle Adams writes: [xacml] Change request to SAML... > On the SAML call today, the following item was discussed: > > > - Standardize issuer name formats (request came from XACML) > > > The people on the call felt that they needed a bit more clarification > regarding the concrete requirements for this. They would also be happy to > receive any specific proposal for changes / additions to the spec to resolve > this, but they'd be OK with just the requirements if that's all the time we > have for over the next couple of weeks. > > Anne: this originally went from you to Eve Maler. Would you be able to > write a short paragraph saying why XACML needs a SAML change in this area? How does this look: Currently, the "Issuer" in a SAML Assertion is an attribute of type "string". "Subject", however, is not just a "string", but can also include "NameQualifier" and "Format" attributes. If one wishes to associate the Issuer of an Assertion with other Assertions about the Issuer (such as whether the Issuer is authorized to make the first Assertion), or with Access Control Policies about the Issuer, one needs to match "Issuer" and "Subject" values. Simple string matching is inadequate for comparing various name formats used in enterprise environments today, such as e-mail names and the X500 Distinguished Names used in digital certificates. Example: If the Issuer in Assertion A is "Anne.Anderson@Sun.COM", it is not possible to match that value with a Subject of "ANNE.ANDERSON@SUN.COM" in a corresponding Subject Assertion or Access Control Policy statement unless one knows that the Format of the Issuer name is an RFC822 Name, and thus case does not matter. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC