OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] Changes for Core 26

At 11:27 AM 2/11/02 +0000, Stephen Farrell wrote:

>The problem with being logical, consistent and pure in this case
>is that it ignores reality and results in saml conformant code
>not being as useful as current proprietary products.

Actually, I wasn't going for purity per se.  I was going for the least 
number of false matches (because "FRED" isn't "fred"), at the potential 
cost of extra rejects ('sorry, you can't access resource "FRED" because 
you're only allowed access to "fred"').  This sounds more secure to me, and 
it also means a simple context-insensitive matching rule that doesn't 
depend on private agreements.  Certainly a standard is going to cut off 
some avenues for convenience that proprietary products take advantage of 
now, but often this is the cost of interoperability.

>I'm mainly thinking of resource names which are read off the wire
>by saml components as written by non-saml components. I'm not sure
>if the namespace case is the same, but it clearly has less precedent
>than the resource URI case.

I'm not sure I understand this...

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC