OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [dss] Representing requestor's identity

Trevor,

I am very confused over what you are suggesting.

The DSS structure is in XML.  If we have a CMS signature it will be carried
within a subcomponent of this XML.  The information about requestor needs to
be visible as part of the XML syntax.

CMS only carries GeneralName within some of the certificate extensions.  It
does not include GeneralName in any other part of the structure!  Are you
suggesting that we start re-defining CMS?

I strongly suggest that we carry the SAML structure when this is used as a
method of authenticating / authorising the requestor.

Nick

> -----Original Message-----
> From: Trevor Perrin [mailto:trevp@trevp.net]
> Sent: 28 April 2003 19:37
> To: Nick Pope; dss@lists.oasis-open.org
> Subject: RE: [dss] Representing requestor's identity
>
>
> At 06:51 PM 4/28/2003 +0100, Nick Pope wrote:
>
> >Trevor,
> >
> >What exactly do you mean by ASN.1 syntax?  Do you mean take the
> basic ASN.1
> >structure and redefine it in XML?
>
> CMS is already in ASN.1, so if we use RFC 3280 GeneralName as the "name
> syntax" for identifying the requestor within CMS signatures, we wouldn't
> have to redefine it in XML or base64-encode it or anything.
>
> [...]
> >A more generic approach could be a "name form"
> >identifier followed by the Name value encoded as a string.
>
> That's basically what a SAML <NameIdentifier> is.  We could
> borrow that or
> define our own, either way would be so easy I don't think we need
> to sweat
> the details now, if we're in agreement that both XML and CMS should have
> some simple "name syntax" (as simple as just a type identifier
> followed by
> a string or structure).
>
>
> > > Then for both XML-DSIG and CMS, we should allow the use of a SAML
> > > Assertion
> > > in place of the name syntax when information about the
> > > authentication is to
> > > be represented.
> > >
> >As well as SAML we still need to cover WSS UsernameToken and allow other
> >externally defined structures for representing authenticated identities.
>
> I disagree here - I think we should *only* support SAML as far as
> representing the authentication event goes, since it's the only
> well-known
> technology for doing this (that I'm aware of).  WSS UsernameTokens aren't
> intended for this purpose - they don't provide for expressing
> usernames in
> different "name forms", and they don't provide for saying anything about
> who authenticated the subject, the authentication method, or the
> authentication time.
>
> Trevor
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]