OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Thoughts wrt draft-sstc-saml-issues-status-01

> >     144  ISSUE:[DS-6-05: AttributeScope] 
> status=CLOSED
> "AttributeNamespace" satisfies this?

No, scoping of attributes is about the context of the value (eg. my
affiliation is faculty, but *where* am I a faculty member?) rather than
a context for the attribute's name. This is a particular issue with
directory attributes in which the scope is often implicitly "the
organization whose directory this is".

The SAML assumption is that it's carried in Subject SecurityDomain or
otherwise in the value in some attribute-specific way.

I think this is a subtle issue that people will discover for themselves,
but Shib considers this issue closed.

I followed up because I think it's really critical that anyone that
doesn't understand the purpose of XML namespaces doesn't get confused
and think that it's appropriate to place a "domain identifier" of some
sort in the AttributeNamespace slot. That slot is to identify the XML
namespace in which the attribute's Name has been placed. For example, as
Stephen Farrell has been arguing, there may well be a namespace defined
for inetOrgPerson attributes.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC