OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: composition of AssertionID (Issue: DS-4-04: URIs for Assertio nIDs)

Jeff Hodges wrote,
> The research I did indicates that it is questionable whether 
> it is a good idea
> to simply use a URL-style URI as shown above and consider the 
> "problem solved". 

Yes, but it seems to me that 2/3 of these problems go away if you assume
global (intergalactic) uniqueness. I further assert that half of the
remainder go away if you write strict rules for forming and comparing them
for identity.

This IMO leaves a managable remainder to deal with. 

> > I assume if you ask for an Assertion identified only by ID, 
> you will get
> > that one or an error. 
> Part of the question is "to whom do you address the 
> request?". If the answer is
> "you figure it out from stuff within the AssertionID", then I 
> claim we're
> (perhaps needlessly) overloading the semantics of 
> AssertionID.

I think we have already have agreed that various things in SAML need to be
administratively configured, based on out of band agreement, so I don't see
a problem with doing the same for the location of authorities.

I am equally comfortable with an 1) issuer dns name and a unique integer or
2) an UUID, but such things are unfashionable. (As someone who was at
various times an expert on DCE and SET, I understand the need to follow
technology fashions or be left talking to yourself. ;-)



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC