[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Comments on Issuer Format proposal(28d-draft-solution-0.1.pdf)
> In any case, I'd like to see a clear use case where knowing either the > format or the classification makes a real difference to a SAML or XACML > deployment. I think the main argument for this proposal, other than consistency with XACML, is consistency between Subject and Issuer. I believe I argued for this myself, a long time ago. The motivation for consistency is, as the proposal says, that sometimes Issuers will be Subjects. For example, an assertion might state that a Subject has attributes that represent capabilities of that Subject acting as an Issuer. The suggestion that we treat configuration data (aka metadata) exchange as attribute exhange would make this common, it seems to me. It seems to me that all the considerations that led us to a 3-part Subject nameidentifier (NameQualifier, Format, Name string itself) apply to Issuers as well. I suppose an argument for Issuer to be simply a string is that it is likely to be matched against a name supplied by a signing credential such as an X.509 cert, which is a string or which can be converted to a string for matching purposes. Perhaps the use case of making a Statement whose Subject is the Issuer of a different Assertion needs to be written down to clarify the requirements. - RL "Bob"