OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AuthnQuery filters

Title: Message
The  rules around using the SessionIndex and RequestedAuthnContext filters seems unclear in the sense that they suggest that at least one AuthnStatement element in the set of returned assertions MUST contain a match to the filter. That's fair enough, but it then goes on to say, it is OPTIONAL for the complete set of all such matching assertions to be returned.
Does "all such matching assertions" imply matching the filter. As in all  returned AuthnStatement elements will match the filters.  If so, why not just say all AuthnStatement elements in the set of returned assertion MUST contain a  match to the filters (if filters are supplied). Otherwise perhaps change the wording of "all such matching assertions" to something like "of other assertions"
But another way, consider a query that has a SessionIndex and RequestedAuthnContext. If there is one authn that matches the RequestedAuthnContext and  a completely different authn that contains the SessionIndex, and yet a third authn  that does not match the RequestedAuthnContext or has a SessionIndex, what could be returned?
a) nothing since both filters are not matched by a single authn.
b) the first two can be returned.
c) all three can be returned.
Thanks, Tom.

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
Securing Digital Identities
& Information


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]