[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ClaimedIdentity - NameType qualifier needed?
Does dss:NameType require in addition to the Format, an optional interpretation attribute? Like saml:NameIdentifier that includes format and NameQualifier? regards, Frederick Frederick Hirsch Nokia Mobile Phones > -----Original Message----- > From: ext Trevor Perrin [mailto:trevp@trevp.net] > Sent: Monday, November 03, 2003 1:55 PM > To: Rich Salz; Hal Lockhart > Cc: dss@lists.oasis-open.org > Subject: Re: [dss] Call for claimed identity scenarios > > > At 01:28 PM 11/3/2003 -0500, Rich Salz wrote: > > >I think that ClaimedIdentity is misleading. Or I don't > undestand the > >proposed semantics. > > > >I believe the intent is indicate that a role-based key > should be used to > >perform the signature, rather than the default key > associated with the > >authenticated client. In other words, while I might > authenticate as "Ken > >Lay" I will be signing the auditor's report using the > "corporate officer" key. > > The requirement for this came out of the f2f meeting. The > idea, like you > suggest, was that the client's authentication identity may > not be enough to > tell the server who he is, or what role he is operating under. > > But the server may use this "claimed identity" to determine > more than just > which key to sign with. For example, the requirements doc says: > """ > 3.5.3 Claimed Identity > - The identity or role asserted by the client. > The server may use this to determine signature contents, > processing steps, > the value of the Requestor Identity element, which key to use, etc.. > """ > > The wd-04 schema just has this as a string: > <xs:element name="ClaimedIdentity" type="xs:string"/> > > > Maybe it needs to be more complex. Still, I'm not in favor > of extending > this to support authentication, by sending SAML tokens or > Kerberos tickets > or whatnot. I think those should be handled by a lower level, and > <ClaimedIdentity> should just be used to clarify or supply additional > context to this lower-level authentication. > > > Trevor > > > > > To unsubscribe from this mailing list (and be removed from > the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]