OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services-comment] XASP: Permitting use of Subject Alt Names?

This is yet another reason to define a new BaseID type that carries
the complete certificate.  This was discussed briefly on saml-dev
awhile ago.  I proposed the details of such a change to the OGF
AuthZ-WG but they weren't interested since it meant basically starting
the specification process from scratch, and so it was a matter of
(bad) timing for them.

FWIW, I'd be interested in exploring this further.

Tom Scavo

On Mon, May 5, 2008 at 12:49 PM, Kemp, David P. <DPKemp@missi.ncsc.mil> wrote:
> The SAML Attribute Sharing Profile for X.509 Authentication-Based
>  Systems, 28 March 2006, says that the <AttributeQuery> <Subject> element
>  must contain a <NameID> with the value of the Subject DN with the
>  nameid-format of X509SubjectName.
>  Some certificates may contain null Subject DNs, and for others there is
>  not a 1-1 correspondence between an entity identified by a unique ID
>  contained in the Subject Alternative Name and varying DNs that may also
>  be issued to that entity contemporaneously or over a period of time.
>  For example, FIPS 201 identifies subjects using the Federal Agency Smart
>  Card Number (FASC-N) contained in SAN, RFC 4043 specifies a permanent
>  identifier intended to be stable regardless of changes in DNs, and
>  non-person entities such as devices or service providers may be
>  identified using IPv6 addresses, RFC 4122 UUIDs, or other UIDs contained
>  in SAN.
>  Has there been any discussion of updating XASP to permit requesting
>  attributes using a stable entity identifier contained in SAN?  If not,
>  is there a forum for XASP where such a change proposal could be
>  discussed?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]