[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] NameIdentifier proposed change (Sun L3 comment)
> From: Eve L. Maler [mailto:eve.maler@sun.com] > I thought someone had pointed out a case where the name > string has the > security domain baked in (I can't remember the example). In > this case, it > would perhaps be silly or error-prone to repeat the security domain > information in a separate attribute, and the correct > interpretation would > be "Get the security domain info from the Name field". Would > the security > domain always == the Issuer in such cases? A common example of where the name implies the SecurityDomain is in LDAP Distinguished Names, such as "cn=Irving Reid, ou=Engineering, o=Baltimore.com". In this case, the RP still needs some sort of policy that says whether Issuer "malicious.com" is allowed to assert things about that DN. This implies that the RP knows or can guess what syntax to expect for the name, which I think will lead us into interop nightmares. A naive RP could simply say that whatever DNs it gets from issuer malicious.com are treated relative its policy for malicious.com, so that there's no way for these assertions to leak over and take advantage of policy intended for baltimore.com. Frankly, I think we're going to have trouble in Last Call with the fact that we haven't explicitly addressed issues of interoperability between SAML and LDAP. - irving - ----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC