[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] LDAP Attribute Profile (saml-profiles-saml2.0)
On Mon, 16 Jan 2006, Greg Whitehead wrote: > 2) The ONLY clue we have that the AttributeValue is encoded using the > X500/LDAP profile is an attribute in the profile namespace > (x500:Encoding). Unless we know to look for that attribute, or we search > for all attributes that we don't understand and throw up our hands if > any are found, there is NO way to know what crazy encoding rules have > been applied to the AttributeValue (such as ASN.1 octet string > wrappers). Hmm, the point of the ldapprof:Encoding="LDAP" XML attribute isn't to call out the use of the X.500/LDAP profile as a whole, it's to indicate that, in that profile, the LDAP-specific encoding is being used, rather than any other possible encodings, none of which have been defined yet (but possibilities might include X.500 and RXER some day). If we had decided not to leave the door open for those other encodings, but said this profile is only LDAP forever, there would have been no Encoding XML attribute at all. So I think the point is that by using as a SAML attribute Name an OID that is defined as an X.500/LDAP attribute type, you're using the X.500/LDAP profile, like it or not. So it's like Scott said about LDAP: the format is determined by the attribute name, which should be clear, no? I suppose someone could come along and add a myFormat="Klingon" XML attribute to the AttributeValue element of any SAML Attribute in hopes it would affect the processing. Should SAML attribute profiles have language specifically precluding this? Seems like trying to specify common sense. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]