OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] On allowing multiple value types for an attribute


Thanks Scott.

Conceptually, I don't think it's a good idea to define different attribute names (i.e. different attributes) for different encodings of the same attribute. It's somehow like defining two separate Date attributes for when it is expressed in MM/DD/YY and DD/MM/YY.

As for the SAML requirement, could the concern be addressed by specifying that only one type should be used per instance of attribute, regardless of how many values are provided?
I also think this can be considered an implied conformance criterion since the profile already requires conformance to the requirements of SAML assertions but I also think this is an important caveat worthy of mentioning explicitly.

Regards,
Mohammad Jafari, Ph.D.
Chair, OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee
Security Architect, Edmond Scientific Company


> -----Original Message-----
> From: Cantor, Scott [mailto:cantor.2@osu.edu]
> Sent: Wednesday, October 29, 2014 2:01 PM
> To: Mohammad Jafari; security-services@lists.oasis-open.org
> Subject: Re: [security-services] On allowing multiple value types for an
> attribute
> 
> On 10/29/14, 1:58 PM, "Mohammad Jafari" <mjafari@edmondsci.com> wrote:
> 
> >Additionally, the TC is inclined to allow, as a non-normative, using
> >XML-encoded values for the same attribute. The format used for encoding
> >the attribute will be determined based on the xsi:type on the
> >AttributeValue.
> 
> There's definitely nothing in SAML itself to preclude that, though as a matter
> of attribute design (something I'm fairly experienced in), I would say it's non-
> optimial. Attributes should really have well-defined characteristics that have
> as few variances as possible, and using separate attribute names would be
> better.
> 
> In addition, there *is* a SAML requirement that for a given Attribute's
> AttributeValues, there not be different xsi:types in different values at the
> same time. I would guess that your proposal could violate that if it were
> possible for your attribute to be multi-valued.
> 
> -- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]