OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: New Issues, Authorities and Domains


I take the view that 

1) Each assertion is implicity qualified by the issuer name.

2) URIs provide sufficient flexibility to allow parties acting in good faith
to uniquely identify resources etc. without ambiguity.

[Appologies in advance for the argument which follows which is of the 'boil
the ocean variety]


The qualification 'in good faith' is the important point. I have never been
convinced by Ron's SDSI argument that all names are relative. It is true
that the discovery that names are intrinsically subjected caused the logical
positivists to fail, however there have been considerable developments
since.

The most important of these is the concept of Intersubjectivity, loosely
stated this goes, although there are many facts that we cannot prove to an
absolute skeptic such as Descarte's daemon and are thus 'subjective' the
axioms from which the facts may be established are agreed intersubjectively.

So for example neither I nor anyone else can prove that Napoleon was Emperor
of France, in fact we cannot prove using symbolic logic that either Napoleon
or France existed. Despite the failure of symbolic logic we can construct a
plausible argument that both did exist and moreover the overwhelming
probablility is that if I use the term 'Napoleon' and you use the term
'Napoleon' we are both talking about the same person.


In the Internet architecture names are derived from the DNS infrastructure.
The Internet architecture does allow for multiple name spaces and in fact
some people have set up separate name spaces and even address spaces.
However 99.999% of the Internet have a common understanding of the meaning
of www.cnn.com.

The practical implication of this observation is that rather than supporting
infinite regression of The person X calls Y asserts that Z... the
identifiers are normalized at each stage. So that the only question we ask
is 'is the issuer of the assertion trusted to make the claim stated?' - and
explicit in that statement is the understanding that by trusting the issuer
we mean that we trust the issuer to use the same terms as we use.


		Phill


Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Thursday, May 24, 2001 10:56 AM
> To: security-services@lists.oasis-open.org
> Subject: New Issues, Authorities and Domains
> 
> 
> Here are a couple of issues we should think about.
> 
> An Assertion is issued by an authority.
> 
> Assertions may be signed.
> 
> The name of a subject must be qualified to some domain.
> 
> Attributes must be quailfied by a domain as well.
> 
> Nigels comments in the last concall suggest that resources 
> also need to be
> qualified by domain.
> 
> 1. Stephen has pointed out that there may be a requirment to 
> encrypt, for
> example, the use name but not the domain. Therefore they should be in
> separate elements. If domains are going to appear all over 
> the place, maybe
> we need a general way of having element pairs or domain and "thing in
> domain."
> 
> 2. Should SAML take any position on the relationship between the 1)
> Authority, 2) the entity that signed the assertion, and 3) the various
> domains scattered throughout the assertion? The contrary view 
> is that is a
> matter for private arrangement among asserting and relying parties.
> 
> Hal
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: 
> security-services-request@lists.oasis-open.org
> 

Phillip Hallam-Baker (E-mail).vcf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC