Re: [security-services] Request to Generalize Issuer - was XACMLchange request

["Eve L. Maler" <eve.maler@sun.com>]

I had an action (AI-25) to provide element-based and attribute-based 
solutions to allow Issuer to carry NameQualifier and Format information. 
Sorry for the truly horrible delay in doing this writeup.

You'll recall that we can't do this:

<attribute name="Issuer" type="saml:NameIdentifierType" use="required" />

because NameIdentifierType is a complex type, and attributes can't be 
bound to such.


An Element-Based Solution:
==========================

If we move Issuer information into an element structure, it's 
backwards-incompatible but is more consonant with our existing 
element-based NameIdentifier solution.  We could either wait till SAML 
2.0 to put this in, or make this new structure an optional feature in 
SAML 1.1 and let it sit alongside the existing Issuer-as-attribute 
information.  However, note that Issuer is currently a required 
attribute and this can't change in SAML 1.1, so if people did use the 
new structure, they'd be duplicating some information in the instance.

Currently, Issuer information is provided like this:

<Assertion
   {other_assertion_metadata_attributes}
   Issuer="http://www.example.com/AttribAuthority";>
   <Conditions>...</Conditions>
   <Advice>...</Advice>
   {assertion_content}
</Assertion>

We could either just add an <IssuerIdentifier> subelement, or we could 
add a more generic subelement that is prepared to hold future 
element-structured metadata that we dream up.  Here I'll go with the 
former strategy, to keep it concrete and realistic.

The instance would now look like this (I'm keeping the old-style format 
string for now, to avoid confusing things further, but remember that we 
agreed to fix the fragment ID problem and invent new URNs):

<Assertion {metadata_attributes}>
   <IssuerIdentifier
   IssuerQualifier="www.example.com"
   Format=
   "urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName">
     AttribAuthority
   </IssuerIdentifier>
   <Conditions>...</Conditions>
   <Advice>...</Advice>
   {assertion_content}
</Assertion>


An Attribute-Based Solution:
============================

We can enhance the current Issuer attribute to allow for an 
IssuerQualifier and a Format to be provided in sister attributes.  This 
is something that I think we can do in SAML 1.1, if we think the 
description of Issuer can tolerate the additional interpretations that 
we'd need to layer on top:

"The issuer of the assertion. The name of the issuer is provided as a 
string. The issuer name SHOULD be unambiguous to the intended relying 
parties. SAML authorities may use an identifier such as a URI reference 
that is designed to be unambiguous regardless of context."

However, in practice I think there is an interoperability problem 
because we've now got two fields to divide the old Issuer-field 
information into.

The instance would look like this (note that I broke up the original 
value into two places):

<Assertion
   {other_metadata_attributes}
   Issuer="AttribAuthority"
   IssuerQualifier="www.example.com"
   Format=
   "urn:oasis:names:tc:SAML:1.0:assertion#WindowsDomainQualifiedName">
   <Conditions>...</Conditions>
   <Advice>...</Advice>
   {assertion_content}
</Assertion>


Final Comments
==============

It may be that we want to keep the old Issuer attribute exactly as it 
is, semantics and all, and simply add alongside *whichever* solution 
(element-based or attribute-based) we decide is best for the future.  It 
will require duplication of information in instances for anyone who 
wishes to get the benefits of articulated issuer info in SAML 1.1, but 
at least there's no tortured logic, and the transition to SAML 2.0 would 
be straightforward (drop the annoying old Issuer attribute and use the 
new solution exclusively).

I haven't sketched up the schema code yet; let's see which way we prefer 
to go first.

	Eve

Hal Lockhart wrote:
> In the last meeting I agreed to provide specific changes required to 
> allow the Issuer to contain NameQualifier and Foprmat, just as subject 
> does, in order to provide more flexible matching of Issuer names. I also 
> sugggested, without looking at the schema that the changes could be made 
> backward compatable by using a Choice. However, it turns out that Issuer 
> is an XML attribute.
> 
> So it looks like the change required is to change the line:
> 
> 
>   <attribute name="Issuer" type="string" use="required" />
> 
> to:
> 
> 
>   <attribute name="Issuer" type="saml:NameIdentifierType" use="required" />
> 
> 
> Since NameIdentifierType extends string and since NameQualifier and 
> Format are use="optional" I think this is backward compatable, but I may 
> be wrong.
> 
> In the core spec, the simplest change would be to change the sentence on 
> line 383 from:
> 
> The name of the issuer is provided as a string.
> 
> to:
> 
> The name of the issuer is provided as a SAML NameIdentifier. The 
> NameIdentifier is described in section 2.4.2.2.
> 
> Alternatively, the description of NameIdentifier could be moved forward 
> in the document.
> 
> Hal
> 

-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Technologies and Standards               eve.maler @ sun.com