OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fixes for authn-context schema problems

This note describes rationale for the update to
authn-context files which will be published shortly
for vote on December 7.

Recall that the AuthNContext schema is structured in
the following way: 
core set of elements are provided in
individual classes which then restrict these elements
in particular 
(e.g., sstc-saml-schema-authn-context-pword-2.0.xsd).

The technical problem with this approach (reported by
Field-Elliott of
Ping Identity and researched by Scott C. and John K.)
is that each of 
individual classes have their own namespace distinct
from the parent
namespace. This makes use of type restriction
impossible in the manner 
by these schemas.

Unfortunately, a number of schema validators failed to
pick up this 
No, I am not going to name names but there is a
proposal that all 
schemas validate against a particular schema validator

An editorial meeting on December 6 discussed the
problem and accepted the following solution:

The authn-context schemas 
will be
factored into three parts:

(1) A set of utility types (no target namespace)
(2) sstc-saml-schema-authncontext-2.0 (core auth
context schema)
(3) Individual classes which would define/restrict
types found in (1).

The schema in (2) includes the utility schema. The
schemas in (3) 
the base types in the utility schema to turn them into
of themselves that correspond to the context classes.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]