OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: comments on attribute-02



[Sorry, only have time for very brief comment, and probably won't be able
to be on focus call.]

My comments here more or less repeat those at the end of my note to the TC
on 2003-10-23, regarding requirements 2.3 (Express attribute issuer) and
2.4 (Ability to express attribute data-type at the attribute level).  It
is difficult to argue that someone else's requirements aren't
requirements, but I remain of the opinion that these features, if added to
the standard attribute schema, will not be used much, and will add
complexity to implementations, and so aren't in our interest to put in.

I also continue to think that if the motivation for including these
features is consistency with XACML representation of attributes, this
concern is misplaced.  I'm sure it is the case that it is useful in XACML
policies and attribute stores to represent issuers and datatypes of
individual attributes.  But this is because XACML policy evaluation might
well involve looking at attributes from a large set of issuers and
attribute definers.  But this does not mean at all that there is a general
need to represent this diversity in individual SAML assertions.  No other
attribute-transfer system I'm familiar with (eg X.500) has found this to
be a requirement.

I'd like to see more folks in the TC speak up for finding these features
useful before deciding to include them.

 - RL "Bob"



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]