OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] NameIdentifier proposed change (Sun L3 comment)



On Thu, 14 Feb 2002, Hal Lockhart wrote:

>
> > > I thought someone had pointed out a case where the name
> > > string has the
> > > security domain baked in (I can't remember the example).  In
> > > this case, it
> > > would perhaps be silly or error-prone to repeat the security domain
> > > information in a separate attribute, and the correct
> > > interpretation would
> > > be "Get the security domain info from the Name field".  Would
> > > the security
> > > domain always == the Issuer in such cases?
> >
> > A common example of where the name implies the SecurityDomain
> > is in LDAP
> > Distinguished Names, such as "cn=Irving Reid, ou=Engineering,
> > o=Baltimore.com". In this case, the RP still needs some sort
> > of policy that
> > says whether Issuer "malicious.com" is allowed to assert
> > things about that
> > DN.
>
> An even more important example is name@realm as in Kerberos or Internet
> email addresses.
>
> The history of this is that Stephen Farrell suggested that Domain be a
> separate element so it could be encrypted or not independantly from name.
>
> Some time later, Stephen Farrell asked that Domain be optional because in
> may cases, such as Kerberos, it was most natural to make the domain part of
> the name.
>
> I disagree about using the Issuer as the default Domain.
>
> I would also like to point out that Attributes have no distinct domain
> element. If none is specified, the subject domain will be used.
>
> I see no good way out of this. The two choices I consider feasible are:
>
> 1. Drop security domain. In Name, specify that AP must use either the
> "normal" repesentation for that type of name (e.g. name@realm) if there is
> one or "Domain{magic SAML delimiter}Name" where {magic SAML delimiter} is
> something we agree on.
>
> 2. Specify that AP must use either the "normal" repesentation for that type
> of name (e.g. name@realm) if there is one and not use SecurityDomain or put
> the domain in the domain in the name in the name.
>
> In either case we could list the common cases where there is a "normal"
> representation.

In the CORBA/EJB CSIv2 protocol for user names, we use the "normal" format
of "name@domain", of which the "@domain" can be optional (if it is
implied by other means).

Cheers,
-Polar


>
> Hal
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC