[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AuthnContext comparison clarifications
Scott, given that the definition of "better" is that the resulting authn context just needs to be better than one of the supplied requested authn contexts, can we change the wording in line 1826 from "than any one" to "than one"? This will align the wording used for maximum and minimum.
Would you agree that if the entire set of authn performed on the authority side is being returned (with at least one of them matching the filter of course), then the statement about "references MUST be evaluated as on ordered set" as it applies to the comparison operations is irrelevant?
Fyi... In your proposed text, change "to distinct" to "two distinct".
> -----Original Message-----
> From: Scott Cantor [mailto:firstname.lastname@example.org]
> Sent: Saturday, February 11, 2006 11:10 PM
> To: email@example.com
> Subject: [security-services] AuthnContext comparison clarifications
> Fulfilling an action item, here is a suggested clarification
> we might want
> to make to core section 220.127.116.11.1.
> Conor noted that contexts are not necessarily a fully ordered
> set, so we
> might note this to aid in the interpretation of the
> comparison types, such
> as the following after line 1819:
> "Note that while the references are evaluated in order, they do not
> necessarily (or even typically) constitute an ordered set
> relative to each
> other for comparison purposes. References can be to distinct
> classes that do
> not relate to each other directly in terms of "strength".
> Therefore, the
> following comparison rules are meant to be applied
> individually to each
> input reference. Satisfying a particular comparison with respect to a
> *single* input reference is sufficient to satisfy the request."
> I believe this rule (satisfying a single input) applies
> across all of the
> comparison options and is the intent behind the text. It also seems to
> provide a straightforward algorithm to use in each case by
> just requiring
> that each input be fed into the comparison operation one at a
> time until one
> is satisfied, and you never have to keep going once you do.
> -- Scott
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all
> your TCs in OASIS