[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [Issue] Specify Subject via Assertion
In most cases in adding issues to draft-sstc-saml-issues-05.doc I used text provided by others. In a few cases, I added substantial new text which has never been posed to the mailing list. As a courtesy to those who don't wish to plow through the entire issues list, I am posting it retroactively. Hal ISSUE:[DS-1-04: AssnSpecifiesSubject] Should it be possible to specify a subject in an Assertion or Assertion Request by reference to another Assertion containing the subject in question? The referenced Assertion might be indicated by its AssertionID or including it in its entirety. For example, a PDP might request an Attribute Assertion from an Attribute Authority by providing an Authentication Assertion (or its ID) as the way of identifying the subject. There are two cases: AssertionID and complete Assertion. AssertionID When requesting an Assertion, it will be useful to specify an AssertionID in a situation where the requestor does not have a copy of the Assertion, but was had received the AssertionID from some source, for example in a Web cookie. Of course, it would be necessary that the Asserting Party be able to obtain the Assertion in question. This scenario would be particularly convenient if the Asserting Party already possessed the referenced Assertion, either because it had used it previously for some other purpose or because it was co-located with the Authority that created it originally. Using an AssertionID to specify the subject of an Assertion seems less useful, because it would make it impossible to interpret the Assertion by itself. If at some later time, the referenced Assertion was no longer available; it would not be possible to determine the subject of the Assertion in question. Even it the Assertion was available, having two assertions rather than one would be much less convenient. Complete Assertion Whether requesting an Assertion or creating a new assertion, it would never be strictly necessary to include another Assertion in its entirety to specify the subject of the first Assertion, because the subject field could be copied instead. Hypothetically, the complete contents of the Assertion might have some value, as the basis of a policy decision, however the same need could be served as well by attaching the second Assertion, rather than including it within the subject field of the first. This was identified as F2F#3-19 and F2F#3-27, although the scope of the latter is limited to the specific case of an Authentication Assertion being referenced within an Attribute Assertion. Potential Resolutions: 1. Allow a subject to be specified by an AssertionID or complete Assertion. 2. Allow a subject to be specified by an AssertionID, but not a complete Assertion. 3. Allow a subject to be specified only in an Assertion Request by an AssertionID. 4. Do not allow a subject to be specified by either an AssertionID or complete Assertion. Status: Open
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC