OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: ClaimedIdentity - NameType qualifier needed?



Does dss:NameType require in addition to the Format, an optional interpretation attribute? Like saml:NameIdentifier that includes format and NameQualifier?

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones




> -----Original Message-----
> From: ext Trevor Perrin [mailto:trevp@trevp.net]
> Sent: Monday, November 03, 2003 1:55 PM
> To: Rich Salz; Hal Lockhart
> Cc: dss@lists.oasis-open.org
> Subject: Re: [dss] Call for claimed identity scenarios
> 
> 
> At 01:28 PM 11/3/2003 -0500, Rich Salz wrote:
> 
> >I think that ClaimedIdentity is misleading.  Or I don't 
> undestand the 
> >proposed semantics.
> >
> >I believe the intent is indicate that a role-based key 
> should be used to 
> >perform the signature, rather than the default key 
> associated with the 
> >authenticated client.  In other words, while I might 
> authenticate as "Ken 
> >Lay" I will be signing the auditor's report using the 
> "corporate officer" key.
> 
> The requirement for this came out of the f2f meeting.  The 
> idea, like you 
> suggest, was that the client's authentication identity may 
> not be enough to 
> tell the server who he is, or what role he is operating under.
> 
> But the server may use this "claimed identity" to determine 
> more than just 
> which key to sign with.  For example, the requirements doc says:
> """
> 3.5.3   Claimed Identity
>   - The identity or role asserted by the client.
> The server may use this to determine signature contents, 
> processing steps, 
> the value of the Requestor Identity element, which key to use, etc..
> """
> 
> The wd-04 schema just has this as a string:
> <xs:element name="ClaimedIdentity" type="xs:string"/>
> 
> 
> Maybe it needs to be more complex.  Still, I'm not in favor 
> of extending 
> this to support authentication, by sending SAML tokens or 
> Kerberos tickets 
> or whatnot.  I think those should be handled by a lower level, and 
> <ClaimedIdentity> should just be used to clarify or supply additional 
> context to this lower-level authentication.
> 
> 
> Trevor
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]