OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] NameIdentifier proposed change (Sun L3 comment)

At 12:05 PM 2/14/02 -0500, Irving Reid wrote:
> > From: Eve L. Maler [mailto:eve.maler@sun.com]
> > L3. Make NameIdentifier non-empty
> >
> > NameIdentifier and its type (Section add up to an empty
> > element.  Given our distaste for attributes in general, it seems
> > better for NameIdentifier to use element content for its "main"
> > purpose (e.g., what's currently in its Name attribute).
> >
> > Here's the way it would look in the instance:
> >
> >    <NameIdentifier
> > SecurityDomain="example.com">joeuser</NameIdentifier>
> >
> > Here is the proposed change to the schema:
> >
> > <complexType name="NameIdentifierType">
> >    <simpleContent>
> >      <extension base="string">
> >        <attribute name="SecurityDomain" type="string"/>
> >      </extension>
> >    </simpleContent>
> > </complexType>
>I like this change, but there's one thing that I think needs discussion.
>Currently, the SecurityDomain attribute is optional.

Yep, we have that problem already whether we change the structure of 
NameIdentifier or not.

>I see two
>(1) Change it to <attribute name="SecurityDomain" type="string"
>(2) Explicitly describe how relying parties are expected to interpret a
>missing SecurityDomain.
>I'm a little bit inclined toward (2), but I'm not sure we could come up with
>an interpretation that satisfies everyone.
>The simplest approach would be to say that if SecurityDomain is not
>specified, RPs should interpret as SecurityDomain == Issuer.

I thought someone had pointed out a case where the name string has the 
security domain baked in (I can't remember the example).  In this case, it 
would perhaps be silly or error-prone to repeat the security domain 
information in a separate attribute, and the correct interpretation would 
be "Get the security domain info from the Name field".  Would the security 
domain always == the Issuer in such cases?

>Another approach would be to say that RPs should base their policy on the
>Issuer, and just use SecurityDomain to further qualify names. However, that
>makes it difficult to do multiple Issuers producing assertions about
>overlapping sets of SecurityDomains (i.e. RP trusts Issuer1 to assert about
>Domain1 and SharedDomain, and trusts Issuer2 to assert about Domain2 and
>Can anyone think of another alternative, or have an opinion about which of
>these are preferred?

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC