OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [Issue] Specify Subject via Assertion

In most cases in adding issues to draft-sstc-saml-issues-05.doc I used text
provided by others. In a few cases, I added substantial new text which has
never been posed to the mailing list. As a courtesy to those who don't wish
to plow through the entire issues list, I am posting it retroactively.


ISSUE:[DS-1-04: AssnSpecifiesSubject]

Should it be possible to specify a subject in an Assertion or Assertion
Request by reference to another Assertion containing the subject in
question? The referenced Assertion might be indicated by its AssertionID or
including it in its entirety.

For example, a PDP might request an Attribute Assertion from an Attribute
Authority by providing an Authentication Assertion (or its ID) as the way of
identifying the subject.

There are two cases: AssertionID and complete Assertion.


When requesting an Assertion, it will be useful to specify an AssertionID in
a situation where the requestor does not have a copy of the Assertion, but
was had received the AssertionID from some source, for example in a Web
cookie. Of course, it would be necessary that the Asserting Party be able to
obtain the Assertion in question. This scenario would be particularly
convenient if the Asserting Party already possessed the referenced
Assertion, either because it had used it previously for some other purpose
or because it was co-located with the Authority that created it originally.

Using an AssertionID to specify the subject of an Assertion seems less
useful, because it would make it impossible to interpret the Assertion by
itself. If at some later time, the referenced Assertion was no longer
available; it would not be possible to determine the subject of the
Assertion in question. Even it the Assertion was available, having two
assertions rather than one would be much less convenient.

Complete Assertion

Whether requesting an Assertion or creating a new assertion, it would never
be strictly necessary to include another Assertion in its entirety to
specify the subject of the first Assertion, because the subject field could
be copied instead. Hypothetically, the complete contents of the Assertion
might have some value, as the basis of a policy decision, however the same
need could be served as well by attaching the second Assertion, rather than
including it within the subject field of the first.

This was identified as F2F#3-19 and F2F#3-27, although the scope of the
latter is limited to the specific case of an Authentication Assertion being
referenced within an Attribute Assertion.

Potential Resolutions:

1.	Allow a subject to be specified by an AssertionID or complete
2.	Allow a subject to be specified by an AssertionID, but not a
complete Assertion.
3.	Allow a subject to be specified only in an Assertion Request by an
4.	Do not allow a subject to be specified by either an AssertionID or
complete Assertion.

Status: Open

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC