OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: errata: alternate definition of strongly matches

In SAML V1.1, the definition of strongly matches seems to imply that
the SubjectConfirmation elements of the two Subjects have the same
"deep structure", which is overly restrictive.  In SAML V2.0, on the
other hand, the definition of strongly matches rests on a condition
that is difficult (if not impossible) to test, namely, the actual
confirmation process itself.  For reference, see the following


In lieu of the condition on lines 1954--1956 of SAMLCore, I will offer
as errata to the SAML V2.0 definition of strongly matches the
following alternate condition:

If S2 includes a <saml:SubjectConfirmation> element, then S1 MUST
include a corresponding <saml:SubjectConfirmation> element such that
a) the values of the Method attributes of the two
<saml:SubjectConfirmation> elements are equal, and b) if the
<saml:SubjectConfirmation> element of S2 contains a <saml:BaseID>,
<saml:NameID>, or <saml:EncryptedID> element, then the
<saml:SubjectConfirmation> element of S1 MUST contain an identical
<BaseID>, <NameID>, or <EncryptedID> element (resp.).

This condition is testable at least.


Tom Scavo
NCSA/University of Illinois

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]