OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Representing requestor's identity


At 02:10 PM 4/28/2003 +0100, Nick Pope wrote:
>Content-Transfer-Encoding: 7bit
>
>Trevor, Anthony,
>
>It seems to me that the syntax should be flexible in including a range of
>alternative name forms including:
>- Simple name string
>- RFC 3280/X.509 general name (possibly encoded as an LDAP string)
>- SAML Assertion
>- WSS UsernameToken
>- Other name forms to be identified at a later date
>
>Then for specific usage profiles the particular name form to be used can be
>defined.

Nick,

I'd follow RFC 3280 and call "name forms" things like:
  - email address
  - dns name
  - ip address
  - distinguished name
  - edi party name
  - etc..

I'd call the things you mention "name syntaxes" instead of name forms, the 
distinction being that a name syntax can transport different name 
forms.  I'd further distinguish SAML Authentication Assertions from "name 
syntaxes" - an Assertion contains a "name syntax" in <NameIdentifier>, but 
also contains stuff about how the name was authenticated.

My new opinion is that for CMS we should choose a single ASN.1 name syntax 
(probably GeneralName), and for XML-DSIG we should choose a single XML name 
syntax (either define our own, or borrow SAML <NameIdentifier>).  I think 
extensibility to different name forms is important, but to different name 
syntaxes would cause needless incompatibilities (e.g. if Alice encodes an 
email address in one syntax, and Bob can only understand it in a different 
one).

Then for both XML-DSIG and CMS, we should allow the use of a SAML Assertion 
in place of the name syntax when information about the authentication is to 
be represented.

This leaves open what XML name syntax we use - make our own or borrow 
SAML's?  But otherwise, using name syntaxes instead of Assertions avoids 
the verbosity and need to parse SAML Assertions when they're not necessary.

Trevor 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]