Subject: Re: [security-services-comment] XASP: Permitting use of Subject Alt Names?
This is yet another reason to define a new BaseID type that carries the complete certificate. This was discussed briefly on saml-dev awhile ago. I proposed the details of such a change to the OGF AuthZ-WG but they weren't interested since it meant basically starting the specification process from scratch, and so it was a matter of (bad) timing for them. FWIW, I'd be interested in exploring this further. Tom Scavo NCSA On Mon, May 5, 2008 at 12:49 PM, Kemp, David P. <DPKemp@missi.ncsc.mil> wrote: > The SAML Attribute Sharing Profile for X.509 Authentication-Based > Systems, 28 March 2006, says that the <AttributeQuery> <Subject> element > must contain a <NameID> with the value of the Subject DN with the > nameid-format of X509SubjectName. > > > > Some certificates may contain null Subject DNs, and for others there is > not a 1-1 correspondence between an entity identified by a unique ID > contained in the Subject Alternative Name and varying DNs that may also > be issued to that entity contemporaneously or over a period of time. > For example, FIPS 201 identifies subjects using the Federal Agency Smart > Card Number (FASC-N) contained in SAN, RFC 4043 specifies a permanent > identifier intended to be stable regardless of changes in DNs, and > non-person entities such as devices or service providers may be > identified using IPv6 addresses, RFC 4122 UUIDs, or other UIDs contained > in SAN. > > > > Has there been any discussion of updating XASP to permit requesting > attributes using a stable entity identifier contained in SAN? If not, > is there a forum for XASP where such a change proposal could be > discussed? > >