OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Comparison rules for SAMLelements(ISSUE:[DS-14-11: CompareEleme nts])


Don't you need some C14N style stuff about elements and attributes

Examples that might be relevant (not sure, but in acending order
of liklihood):

- is absence the same as the presence of a default value?
- is <foo></foo> the same as <foo/>?
- <Subject><fred/><bill/></Subject> = <Subject><bill/><fred/></Subject>?
- if I have an authentication assertion about <fred> and an
  attribute assertion about <Subject><fred/><bill/></Subject> does
  that attribute apply to the subject of the authentication assertion?

Now, maybe some of these things are well-defined in the current spec,
but if so, it wasn't clear to me I'm afraid.


Irving Reid wrote:
> Stephen Farrell pointed out in his message
> http://lists.oasis-open.org/archives/security-services/200201/msg00168.html
> that we don't have any text in the current draft describing how to compare
> values in SAML data structures.
> I suggest that we add a subsection near the end of Section 1. If there's a
> more "standards-language" way of referring to the W3C specifications, the
> editors can feel free to make the required changes.
> -----------------------------------------------------
> Comparing SAML values
> Unless otherwise noted, all elements in SAML documents that have the XML
> Schema "string" type, or a type derived from that, MUST be compared using an
> exact binary comparison. In particular, SAML implementations and deployments
> MUST NOT depend on case-insensitive string comparisons, normalization or
> trimming of white space, or conversion of locale-specific formats such as
> numbers or currency. This requirement is intended to conform to the W3C
> Requirements for String Identity, Matching, and String Indexing
> (http://www.w3.org/TR/WD-charreq).
> [I would put a section specifically calling out comparison of dateTime
> elements here, but we need to finish arguing about it first]
> If an implementation is comparing values that are represented using
> different character encodings, the implementation MUST use a comparison
> method that returns the same result as converting both values to the Unicode
> character encoding (http://www.unicode.org), Normalization Form C (as
> described in http://www.unicode.org/unicode/reports/tr15/tr15-21.html) and
> then performing an exact binary comparison. This requirement is intended to
> conform to the W3C Character Model for the World Wide Web
> (http://www.w3.org/TR/charmod/), and in particular the rules for
> Unicode-normalized Text
> (http://www.w3.org/TR/charmod/#sec-Unicode-normalized)
> ------------------------------------------------------
>  - irving -
> -----------------------------------------------------------------------------------------------------------------
> The information contained in this message is confidential and is intended
> for the addressee(s) only.  If you have received this message in error or
> there are any problems please notify the originator immediately.  The
> unauthorized use, disclosure, copying or alteration of this message is
> strictly forbidden. Baltimore Technologies plc will not be liable for direct,
> special, indirect or consequential damages arising from alteration of the
> contents of this message by a third party or as a result of any virus being
> passed on.
> This footnote confirms that this email message has been swept by
> Baltimore MIMEsweeper for Content Security threats, including
> computer viruses.
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC