OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Errata in ManageNameIDRequest text

See below for proposed text clarification that <NewID>/<NewEncryptedID> usage in <ManageNameIDRequest> is only intended to enable a change (notification of change) in identifier value.

 

-----

 

3.x? PEx?: Manage Name ID Request Clarification

First reported by: Scott Cantor, OSU / Brian Campbell, Ping Identity

 

Messages: http://lists.oasis-open.org/archives/security-services/200501/msg00058.html

            http://lists.oasis-open.org/archives/security-services/200504/msg00107.html

 

Documents: Bindings and Profiles

 

Description: 
The schema defines the <NewID> element of a <ManageNameIDRequest> as a string.  The implication of that is that a NIM request message from IDP to SP can only be used to inform the SP of a change in identifier value (not format – format is immutable once established).  There are a few places in the spec where the text implies that the format can be changed.  Additionally, the text about <NewEncryptedID> should be expanded to clarify that the encrypted element is just the encrypted <NewID> element and not a full <NameID> as in the more typical <EncryptedID> element used elsewhere.

  

Options:  

There are two ways to approach this.  1) Change the schema to allow format and potentially qualifiers to be changed and make all necessary cascading changes to the spec.  2)  Update the wording in the spec to bring it inline with the schema as is and clarify that only the value of the identifier can be managed with the NIM profile.  Given the complexity and scope of change involved in option 1 and the consensus that option 2 is sufficient and not too limiting, text changes consistent with option 2 are proposed below.  

 

In Profiles change the text on lines 1320-21 from “Subsequently, the identity provider may wish to notify the service provider of a change in the format and/or value that it will use to identify the same principal in the future” to “Subsequently, the identity provider may wish to notify the service provider of a change in the value that it will use to identify the same principal in the future”

 

In Core change the text on lines 2412-13 from “After establishing a name identifier for a principal, an identity provider wishing to change the value and/or format of the identifier that it will use when referring to the principal,…” to “After establishing a name identifier for a principal, an identity provider wishing to change the value of the identifier that it will use when referring to the principal,…”

 

In Core add the following text after line 2438, “In either case, if the <NewEncryptedID> is used, its encrypted content is just a <NewID> element containing only the new value for the identifier (format and qualifiers cannot be changed once established).”

 

 

From: Philpott, Robert [mailto:rphilpott@rsasecurity.com]
Sent: Tuesday, April 19, 2005 10:31 AM
To: security-services@lists.oasis-open.org
Subject: [security-services] Minutes for 19-april SSTC Focus Call

 

  1. Review new errata items
    1.  
    2. Errata in ManageNameIDRequest text

·     Scott: Where we ended up is reasonable.  The text does match the schema. We need some clarification text. 

·     Brian C:  volunteered to write the text and post it to the list.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]