OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] On allowing multiple value types for an attribute

On 11/5/14, 11:55 PM, "Mohammad Jafari" <mjafari@edmondsci.com> wrote:
>Conceptually, I don't think it's a good idea to define different 
>attribute names (i.e. different attributes) for different encodings of 
>the same attribute. It's somehow like defining two separate Date 
>attributes for when it is expressed in MM/DD/YY and DD/MM/YY.

Syntax is part of an attribute's definition. In LDAP terms, you can't 
define an attribute type as one syntax and then use a different syntax 
without changing the attribute type (which in SAML terms is the name).

Problems like your date example come up all the time and I would always 
argue for using separate names, or for adding a piece that specifies the 
encoding as part of the value. But xsi:type isn't that thing. It's too 
tied up in XML validation to be safely used that way.

>As for the SAML requirement, could the concern be addressed by specifying 
>that only one type should be used per instance of attribute, regardless 
>of how many values are provided?

There is no SAML requirement you're violating, I'm just arguing that it's 
not the best choice, and you will have interop problems with SAML 
implementation code if you do it. Basically anything but string is 
hopeless, but expecting code to handle multiple syntaxes with one name is 
even more hopeless. You're guaranteeing implementation problems.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]