OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comments on Core 13 & Profiles 08 around SubjectConfirmationData

Scott, specifically, interplay of two above specs wrt SubjectConfirmationData.
In Section, Core 13 defines SubjectConfirmationData as

<SubjectConfirmationData> [Optional]

    Additional authentication information to be used by a specific authentication protocol. For example, typical content of this element might be a <ds:KeyInfo> element as defined in the XML Signature Syntax and Processing specification [XMLSig], which identifies a cryptographic key.

In Section 3.2, Profiles 08 refers to various attributes on SubjectConfirmationData, e.g. NotOnOrAfter, NotBefore, etc


1) Core schema doesn't currently allow for these NotOnOrAfter & NotBefore (nor the others) attributes on SubjectConfirmationData, the schema for which is

 <element name="SubjectConfirmationData" type="anyType" />

2) Logically, the attributes NotOnOrAfter and NotBefore seem inconsistent with the above definition for SubjectConfirmationData, i.e. they are conditions on the confirmation rather than data to be used for that confirmation.

3) What is the relation between these NotOnOrAfter and NotBefore attributes on SubjectConfirmationData and the attributes of the same name on the Condition element. What would it mean for an assertion to be valid for some interval (as defined by the times specifed in the Conditions element) but during which the Subject can't confirm itself (as specified by the times on the SubjectConfirmationData element)?


Paul Madsen
e:  p.madsen@entrust.com
p:  613-270-2632
c:  613-799-2632
Securing Digital Identities
& Information

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]