[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Errata in ManageNameIDRequest text
I'm sure Scott is quite tired of hearing from me at this point but let
me chime in again. The text in the specs seems to be a bit contradictory.
For example: "After establishing a name identifier for a principal, an identity
provider wishing to change the value and/or format of the identifier that
it will use when referring to the principal" - Core line 2412 But shortly after that it says: "<NewID> or <NewEncryptedID> or <Terminate>
[Required] The new identifier value (in plaintext or encrypted form) to
be used when communicating with the requesting provider concerning this
principal" - Core line 2433 Not that Profiles also talks about the IDP changing the format on line 1321. I’d propose that, in addition to the changes Scott has suggested,
that the ‘and/or format’ be removed from line 1321 of Profiles and
from 2412-3 or Core. > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Wednesday, April 13, 2005 3:02 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] Errata in ManageNameIDRequest text > > I first thought this was a schema bug, because I could swear that things > were set up to enable an IdP to register a new ID with a different Format > or > NameQualifier with the SP, but reading closer, the text is fairly explicit > about NewID being the NameID "content" and it rules out changing anything > else. Annoying to me, but ok. > > But I think we need text explaining that if the NewID is encrypted (the > NewEncryptedID choice), that the element being encrypted is just the NewID > element and not a full NameID as in the more typical EncryptedID element. > > Otherwise it gets a little ugly and it doesn't match what's in the text to > explain what to do with it. > > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]