OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: saml assertion schema notes


> Assertion type has 4 required attributes. Also we have to specify
> xsi:type for each assertion instance. It will make 5 required
> attributes
> for each assertion. I think it will be difficult to read. Why
> not make
> 4 required attributes in base assertion into elements and
> have one xsi:type
> attribute?

I believe the rationale here was to make a distinction between meta-data
about the assertion and the contents of the assertion. Meta-data is
expressed as attributes and contents of the assertion as elements.

I am not sure that "readability" is really an argument for XML--it's meant
to be machine-readable, not human-readable--but I haven't put a lot of
thought into it.

> Advice element could be misused for anything that does not fit into
> assertion.

This one is directly out of the F2F notes. If you feel having it, or having
it as an any, are wrong decisions, that is an issue to be taken up with the
full TC. The consensus draft has to reflect the minutes of the F2F, where
the will of the entire TC was expressed.

> There is a typo on line 249 for the SubjectType:
> Authenticator is referenced
> but everywhere in the text HolderOfKey is mentioned. I belive
> there is still
> an open issue on this element name.

That would be a typo. Thanks for catching that.

> It is not clear what can be a subject of AuthenticationAssertion.
> Definetely AssertionSpecifier should not be used in this case
> but schema
> does not preclude it. (AssertionSpecifier will give us
> self-reference and
> subject will be left undefined)

The subject of any assertion (including Authentication) is what is
identified by the Subject element. One of the possible contents of this
element is an AssertionSpecifier (read as "The subject of this assertion is
the same as the subject of _THAT_ assertion" where the AssertionSpecifier
specifies the other assertion). Naturally this opens the door for the
creation of a pathological assertion who's subject references itself, but I
don't think that's a real concern.

If you know of a way to model the restriction in schema that the referenced
assertion has to have a different ID than the containing assertion, then we
can add it. I don't know of any way to do that. The use of
AssertionSpecifier as a possible content of the Subject element is again
directly from the F2F notes.

Chris

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC