OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] The multiple subject issue

On Wed, 30 Jan 2002, Hallam-Baker, Phillip wrote:

> A statement can have exactly ONE subject that may be desribed by a
> Name Identifier alone, OR a Name Identifier and subject confirmation
> OR a subject confirmation alone.

Thanks for clarifying this.  I found the discussion of multiple subject
names on the last conf call deeply puzzling because I was under the
impression that we had agreed to the model you describe here, which makes
concerns about the semantics of multiple subject names per statement
simply go away because multiple subject names don't exist.  It was this
clarification we sought when discussing this at the last F2F and I'm
hoping we have found it.

The flip side of this is the claim, which I think Eve was championing on
the last call, that multiple subject names in a statement would be a good
and useful thing in some situations, and in particular that the Java
"principal" concept needs this.  While I'm not intimate with the Java
model for this stuff, let me suggest that the expression of security
properties and relationships among multiple named entities (eg, "the
entity 'cn=Joe,ou=foo,dc=example,dc=com' with subjectConfirmation
publickey XXX also has the name 'joe@example.com' with subjectConfirmation
kerbTGT YYY") is the sort of thing that can and should be supported either
with authentication statement extensions with well-defined semantics, or
with attribute statements.  Having a single subject per statement will
allow us to avoid this semantic quicksand for now and get our spec out the

 - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC