OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issuer / NameIdentifier overlap

I guess a few of us were nominally supposed to submit use cases around
assertions about issuers of assertions, so I guess this is a start for that,
but mostly just want to bring a few points to bear.

The one use case that was mentioned was from Tony, with the idea of
expressing operational/policy metadata as an assertion (perhaps in one or
more attributes). Which I think is interesting, but I'd note that that
doesn't actually require that Assertion Issuer be something like
Subject/NameIdentifier. It's just being able to reference somebody that
might be an Issuer *in* a Subject/NameIdentifier.

Another use for that I can imagine is some kind of trust brokering assertion
that lets me rely on a SAML authority to justify a decision to rely on a
different SAML authority.

So it's fair to say this is reasonable, and in fact my latest drafts around
new NameIdentifier usage proposes a NameIdentifier Format URI for
representing the identifier of a "provider", which is in some cases
something that could issue assertions itself. We might want to change the
name, but the basic idea is sound.

But do we have use cases in which a Subject/NameIdentifier would issue
assertions about something? Sure, anything could be a SAML authority by
definition, since it's a definition based on what you do, not who you are.
But couldn't I simply have an identifier that applies to me as an assertion
Issuer distinct from my various NameIdentifiers? I don't see why not.

So I think the question is whether there is just an intrinsic advantage in
unifying the way we refer to entities in the domain model. I think the
answer might be yes, but maybe not if we just decide to stay with the
current model of a simple string.

If we just stick with Issuer as a string attribute, and don't go any
further, than there's some advantage to that simplicity, I think. I'd even
favor going farther and forcing that be a URI, for uniqueness and to
reinforce the purpose, which is really to provide a hook into the metadata.
In 1.x we didn't have metadata, and I would argue that Issuer was useless as
a result (except if you then added custom metadata, such as Shibboleth

XACML proposes we add an IssuerFormat attribute, to profile the use of the
string value. I would argue we probably don't want to complicate the
situation without a commensurate return on that investment. In my mind,
there are two options:

a) Keep a single Issuer attribute, intended only as a way of referencing
whatever other information is available in metadata or elsewhere, so it
doesn't matter what the format is.

b) Create a consistent way of referencing "entities" be they people or
authorities, and replace the existing Issuer attribute with a
<NameIdentifier> element in <Request>, <Response>, and <Assertion>.

At least with (b), I get code and expression reuse. Going halfway and ending
up with two distinct non-trivial methods seems like a bad idea.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]