OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Potential errata on AuthnContextDeclRef/ClassRef

On 6/1/12 12:48 AM, "robert.philpott@rsa.com" <robert.philpott@rsa.com>
>I responded that I thought that was improper since I believed it was
>intended that those URN¹s were to be used in conjunction with an
><AuthnContextClassRef>, not a
>DeclRef. But when I went back and reread the relevant spec sections, it
>doesn¹t appear to me that we specifically disallowed it.

Well, there has to be an element of common sense. If the bucket says Fish
and you drop a Chicken in it...

So I think the issue is that people don't understand the difference
between them. I suppose the better OO analogy is that a class ref is like
a type and a decl ref is like an instance. Fish and "Sammy the Goldfish".

>Both the ClassRef and the DeclRef use the xs:anyURI
>datatype, so obviously URN¹s would be allowed in either one.

Sure, but that data type also applies to NameID and Attribute Name
Formats, entityIDs, etc. We don't specifically preclude those either.

>My memory is a bit fuzzy, but I believe the intention of the committee
>was as I described.
>If so, then the suggestion is that we re-examine the wording in the
>authn context and core specs and make it a bit clearer.

I think we probably need to explain what the difference is more
effectively so that the common sense implication is obvious.

I will file an errata in Jira.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]