OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XASP: Permitting use of Subject Alt Names?

The SAML Attribute Sharing Profile for X.509 Authentication-Based
Systems, 28 March 2006, says that the <AttributeQuery> <Subject> element
must contain a <NameID> with the value of the Subject DN with the
nameid-format of X509SubjectName.


Some certificates may contain null Subject DNs, and for others there is
not a 1-1 correspondence between an entity identified by a unique ID
contained in the Subject Alternative Name and varying DNs that may also
be issued to that entity contemporaneously or over a period of time.
For example, FIPS 201 identifies subjects using the Federal Agency Smart
Card Number (FASC-N) contained in SAN, RFC 4043 specifies a permanent
identifier intended to be stable regardless of changes in DNs, and
non-person entities such as devices or service providers may be
identified using IPv6 addresses, RFC 4122 UUIDs, or other UIDs contained
in SAN.


Has there been any discussion of updating XASP to permit requesting
attributes using a stable entity identifier contained in SAN?  If not,
is there a forum for XASP where such a change proposal could be

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]