OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Created: (SECURITY-20) Improve explanation of difference between AuthnContextDeclRef and ClassRef

Improve explanation of difference between AuthnContextDeclRef and ClassRef
--------------------------------------------------------------------------

                 Key: SECURITY-20
                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-20
             Project: OASIS Security Services (SAML) TC
          Issue Type: Improvement
          Components: Core, Glossary
    Affects Versions: Version 2.0
            Reporter: Scott Cantor
            Priority: Minor


Original note from Rob Philpot:

I was asked a question today about whether it was valid to specific one of the URN's we defined for the SAML-defined authn context classes inside an <AuthnContextDeclRef> element? 
 
I responded that I thought that was improper since I believed it was intended that those URN's were to be used in conjunction with an <AuthnContextClassRef>, not a DeclRef. But when I went back and reread the relevant spec sections, it doesn't appear to me that we specifically disallowed it.  Both the ClassRef and the DeclRef use the xs:anyURI datatype, so obviously URN's would be allowed in either one.  So I was looking for normative text that constrained the usage. AFAICT, we didn't come out and specifically say that if you're using one of the predefined classes, it's URN MUST be specified using the <AuthnContextClassRef> and not using the <AuthnContextDeclRef>.  The language in the core spec and section 3.0 of the authn context spec seems to infer this, but doesn't say it specifically.
 
My memory is a bit fuzzy, but I believe the intention of the committee was as I described.  If so, then the suggestion is that we re-examine the wording in the authn context and core specs and make it a bit clearer.  If the constraint is already in the spec and I missed it, can someone point me at it?  Or if it there was a specific reason for allowing their use in a DeclRef, could someone explain what it is?  If they were allowed there, then I guess I don't understand why we defined the <AuthnContextClassRef> in the first place.
 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]