OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] NameIdentifier proposed change (Sun L3 comment)

> From: Eve L. Maler [mailto:eve.maler@sun.com]

> I thought someone had pointed out a case where the name 
> string has the 
> security domain baked in (I can't remember the example).  In 
> this case, it 
> would perhaps be silly or error-prone to repeat the security domain 
> information in a separate attribute, and the correct 
> interpretation would 
> be "Get the security domain info from the Name field".  Would 
> the security 
> domain always == the Issuer in such cases?

A common example of where the name implies the SecurityDomain is in LDAP
Distinguished Names, such as "cn=Irving Reid, ou=Engineering,
o=Baltimore.com". In this case, the RP still needs some sort of policy that
says whether Issuer "malicious.com" is allowed to assert things about that
DN.

This implies that the RP knows or can guess what syntax to expect for the
name, which I think will lead us into interop nightmares.

A naive RP could simply say that whatever DNs it gets from issuer
malicious.com are treated relative its policy for malicious.com, so that
there's no way for these assertions to leak over and take advantage of
policy intended for baltimore.com.


Frankly, I think we're going to have trouble in Last Call with the fact that
we haven't explicitly addressed issues of interoperability between SAML and
LDAP.

 - irving -


-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC