OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded


> But w.r.t. stability of drafts, my main concern is that AFAIK 
> this profile was originally submitted to support a particular 
> use case defined by certain US government agencies.

Right, but I haven't heard from those constituencies lately. Is the draft
still needed? Whose RFP needs were being addressed and do they still have
them?

> As interoperability with these already existing deployments is 
> likely to be a major driver of adoption of this profile, we 
> should take care not to break interop with the original 
> profile if at all possible.

As originally conceived, there could be no existing deployments since it was
being written while SAML 2.0 was being written. Have there been deployments
since? If so, it's worth asking how well that went.

> 2) Use of a NameQualifier might be a good idea to guarantee 
> uniqueness, since I guess two issuers could use the same DN 
> to identify different principals.

If that happens, didn't one of them screw up?

It's a serious question, I'm trying to understand DN theory vs. practice.
It's ok if the practice is that the theory is wrong, but what's the point of
a DN at all then? Why wouldn't I just leave the name entirely nebulous, if I
need issuer to make it unique.

> However, SAMLCore [lines 
> 474-475] says that the "NameQualifier and SPNameQUalifier 
> attributes SHOULD be omitted unless the element or format 
> explicitly defines their use and semantics", which the 
> X509SubjectName format does not. Profiling by turning "MAY" 
> into "SHOULD" or "MUST" is fine, but turning "SHOULD omit" 
> into "SHOULD have" is probably asking for trouble.

I would say that if you want to use NameQualifier, you should define a new
Format, because the existing Format left it unspecified. That's why we
deprecated the use of the attribute for that Format. You'd run the risk of
expecting NameQualifier to be one thing and somebody having already
implemented it to be something else.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]