[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Errata in ManageNameIDRequest text
See
below for proposed text clarification that <NewID>/<NewEncryptedID>
usage in <ManageNameIDRequest> is only intended to enable a change
(notification of change) in identifier value. ----- 3.x? PEx?: Manage Name ID Request Clarification First reported by: Scott Cantor, OSU / Brian Campbell, Ping Identity Messages: http://lists.oasis-open.org/archives/security-services/200501/msg00058.html http://lists.oasis-open.org/archives/security-services/200504/msg00107.html Documents: Bindings
and Profiles Description: The schema defines the <NewID> element of a <ManageNameIDRequest> as a string. The implication of that is that a NIM request message from IDP to SP can only be used to inform the SP of a change in identifier value (not format – format is immutable once established). There are a few places in the spec where the text implies that the format can be changed. Additionally, the text about <NewEncryptedID> should be expanded to clarify that the encrypted element is just the encrypted <NewID> element and not a full <NameID> as in the more typical <EncryptedID> element used elsewhere. Options: There
are two ways to approach this. 1) Change the schema to allow format and
potentially qualifiers to be changed and make all necessary cascading changes
to the spec. 2) Update the wording in the spec to bring it inline
with the schema as is and clarify that only the value of the identifier can be
managed with the NIM profile. Given the complexity and scope of change
involved in option 1 and the consensus that option 2 is sufficient and not too
limiting, text changes consistent with option 2 are proposed below. In
Profiles change the text on lines 1320-21 from “Subsequently,
the identity provider may wish to notify the service provider of a change in
the format and/or value that it will use to identify the same principal in the
future” to “Subsequently, the identity provider may wish to notify
the service provider of a change in the value that it will use to identify the
same principal in the future” In Core change the text on lines
2412-13 from “After establishing a name identifier for a principal, an
identity provider wishing to change the value and/or format of the identifier
that it will use when referring to the principal,…” to “After
establishing a name identifier for a principal, an identity provider wishing to
change the value of the identifier that it will use when referring to the
principal,…” In Core add the following text
after line 2438, “In either case, if the <NewEncryptedID> is used,
its encrypted content is just a <NewID> element containing only the new value
for the identifier (format and qualifiers cannot be changed once
established).” From: Philpott, Robert
[mailto:rphilpott@rsasecurity.com]
·
Scott: Where we ended
up is reasonable. The text does match the schema. We need some
clarification text. ·
Brian C:
volunteered to write the text and post it to the list. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]