OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Groups - sstc-saml-x509-authn-attrib-profile-draft-10-diff.pdf uploaded


On 8/16/06, Ari Kermaier <ari.kermaier@oracle.com> wrote:
> >
> > I would say that if you want to use NameQualifier, you should
> > define a new
> > Format, because the existing Format left it unspecified. That's why we
> > deprecated the use of the attribute for that Format. You'd
> > run the risk of
> > expecting NameQualifier to be one thing and somebody having already
> > implemented it to be something else.
>
> Agreed. And I think that the benefit of defining a new Format here is not worth the cost in terms of making existing general-purpose SAML 2.0 IdP implementations ineligible to participate in this profile.

This is an illusion, I'm afraid.  If it were true that an existing IdP
deployment could easily participate in this profile (without
significant modification), we probably wouldn't need this profile (as
Scott has repeatedly argued).  In fact, a year and a half of effort
trying to do so suggests otherwise.

That said, we agree it is probably unwise to define a new Format, so
we will drop the NameQualifier requirement and use straight
X509SubjectName.

A new profile document is forthcoming.  Actually, I've taken the
liberty to decompose the profile into a related set of reusable
profiles.  I hope to upload these by the end of this week.

Tom Scavo
NCSA/University of Illinois


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]