[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] x500Name-match and rfc822Name-match specifications
rfc822Name-match xs:boolean xs:rfc822Name xs:rfc822Name An rfc822 name consists of a <local-part> followed by "@" followed by <domain>. The <local-part> is case-sensitive, while the <domain> (which is usually a DNS host name) is not case-sensitive.* The first argument points to or specifies a particular complete rfc822Name. The second argument is a complete or partial rfc822Name used to select appropriate values in the first argument as follows. In order to match a particular mailbox in the first argument, the second argument must specify the complete mail address to be matched. For example, if the second argument is "Anderson@sun.com", this matches a value in the first argument of "Anderson@sun.com" and "Anderson@SUN.COM", but not "Anne.Anderson@sun.com" or "Anderson@east.sun.com". In order to match any mail address at a particular host in the first argument, the second argument must specify that host name (usually a DNS name). For example, if the second argument is "sun.com", this matches a value in the first argument of "Anderson@sun.com" or "Baxter@SUN.COM", but not "Anderson@east.sun.com". In order to match any mail address in a particular domain in the first argument, the second argument must specify the desired domain name with a leading ".". For example, if the second argument is ".east.sun.com", this matches a value in the first argument of "Anderson@east.sun.com" and "anne.anderson@ISRG.EAST.SUN.COM" but not "Anderson@sun.com". * According to IETF RFC822 and its successor specifications (RFC2821), case is significant in the <local-part>. Many mail systems, as well as the IETF PKIX specification, treat the <local-part> as case-insensitive. This is considered an error by mail-system designers and is not encouraged. For this reason, rfc822Name-match treats <local-part> as case sensitive. x500Name-match xs:boolean xs:x500Name xs:x500Name The string representation of an x500Name is specified in IETF RFC 2253 "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names Names".* IETF RFC 3280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", Section 4.2.1.4 "Issuer" contains rules for matching x500Name values. The first argument contains a complete x500Name value. The second argument contains a partial or complete x500Name value used to select appropriate values in the first argument as follows. First, normalize the two arguments according to the RFC2253 syntax and according to the "subset of the name comparison functionality" listed in IETF PKIX RFC3280, Section 4.1.2.4 "Issuer". Next, if any Relative Distinguished Name contains multiple attributeTypeAndValue pairs, re-order the AttributeValuePairs in that Relative Distinguished Name in ascending order when compared as octet strings (described in ITU-T Rec. X.690 (1997 E) Section 11.6, "Set-of components"). Finally, x500name-match returns true if all Relative Distinguished Names in the second argument are equal, using byte-by-byte integer-equal, to a trailing subset of the Relative Distinguished Names in the first argument. * An earlier RFC, RFC 1779 "A String Representation of Distinguished Names", is less restrictive, so xacml:x500Name uses the syntax in RFC 2253 for better interoperability. ** ITU-T Rec. X.520 contains rules for matching X500 names, but these are very complex and require knowledge of the syntax of various AttributeTypes. IETF RFC 3280 contains simplified matching rules that the XACML x500Name-match function uses. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC