[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AuthnContext comparison clarifications
> Scott, given that the definition of "better" is that the > resulting authn context just needs to be better than one of > the supplied requested authn contexts, can we change the > wording in line 1826 from "than any one" to "than one"? This > will align the wording used for maximum and minimum. That's fine. > Would you agree that if the entire set of authn performed on > the authority side is being returned (with at least one of > them matching the filter of course), then the statement about > "references MUST be evaluated as on ordered set" as it > applies to the comparison operations is irrelevant? I don't think so. The point of ordering is that the multiple input references don't necessarily (and in fact probably should NOT) really be comparable to each other directly. So you have to evaluate them in order in all cases, and evaluate the comparison to what your IdP options are one by one until you succeed and then you can quit. This absolutely applies to the comparison options, not just to equality, and order does matter. > Fyi... In your proposed text, change "to distinct" to "two distinct". No, I meant "to", as in what the references are referencing. > > "Note that while the references are evaluated in order, they do not > > necessarily (or even typically) constitute an ordered set relative to > > each other for comparison purposes. References can be to distinct > > classes that do not relate to each other directly in terms of > > "strength". There can be any number of input references and they can (and will) be referencing distinct classes that do not relate to each other. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]