[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] X509SubjectName and relationship to RFC2253?
> The core-00 version of SAML 1.0 describes the format attribute,
> #X509SubjectName ,
> as follows:
>
> Indicates that the content of the NameIdentifier element is in
> the form specified for
> the contents of <ds:X509SubjectName> element in [DSIG].
> Implementors should
> note that [DSIG] specifies encoding rules for X.509
> subject names
> that **differ**
> from the rules given in RFC2253 [RFC2253].
>
>
> There is no [DSIG] reference in this SAML document's bibliography. The
> closest I have found is [XMLSig].
That is correct. You found a bug, I will pass it along to the document editor.
> Is that the proper one? When I follow that link I end up at RFC3275
> which seems to contradict the SAML
> text:
>
> ... The X509SubjectName element, which contains an
> X.509 subject
> distinguished name
> that SHOULD be compliant with RFC 2253 [LDAP-DN] ...
We have it on good authority that this statement is not completely true, alhough it may hold for many common cases.
>
> Can someone explain what implied differences would exist in encoding
> between SAML/DSIG and RFC2253
> for this field? Most importantly --- can I use this field
> for LDAP DNs,
> or should I add an additional
> format tag (such as #RFC2253DistinguishedName)?
The differences as I understand them have to do with the escaping of international (multi-byte) characters. The details can be found by a careful reading of the two specifications.
There is a discussion thread in the SAML archives entitled "Proposed text for <NameIdentifier> in early March of this year, that discuses this issue. It begins with this messsage:
http://lists.oasis-open.org/archives/security-services/200203/msg00002.html
Look especially at the messages from Stephen Farrell.
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC