Subject: XASP: Permitting use of Subject Alt Names?
The SAML Attribute Sharing Profile for X.509 Authentication-Based Systems, 28 March 2006, says that the <AttributeQuery> <Subject> element must contain a <NameID> with the value of the Subject DN with the nameid-format of X509SubjectName. Some certificates may contain null Subject DNs, and for others there is not a 1-1 correspondence between an entity identified by a unique ID contained in the Subject Alternative Name and varying DNs that may also be issued to that entity contemporaneously or over a period of time. For example, FIPS 201 identifies subjects using the Federal Agency Smart Card Number (FASC-N) contained in SAN, RFC 4043 specifies a permanent identifier intended to be stable regardless of changes in DNs, and non-person entities such as devices or service providers may be identified using IPv6 addresses, RFC 4122 UUIDs, or other UIDs contained in SAN. Has there been any discussion of updating XASP to permit requesting attributes using a stable entity identifier contained in SAN? If not, is there a forum for XASP where such a change proposal could be discussed?