New Issue - License Id in REL Token Profile

["Hal Lockhart" <hlockhar@bea.com>]

The REL Token Profile specifies 3 ways the a STR can refer to an XrML license: remote URL, local URL fragment and LicenseId. This seems fine to me. However, the LicenseId is defined as a direct reference. I believe it should be defined as a KeyIdentifier. This is consistent with what has been proposed for X.509 Tokens in the case of IssuerSerial and with the current way that the SAML Token Proifiles specifies the use of an AssertionId.

I believe that the various Token profiles should be as consistent as possible with each other in their use common mechanisms, such as reference types in STRs. This will help to reduce programming errors and facilitate future evolution of the specs.

The core spec does not really make clear when each type of reference is intended to be used, but this is my understanding.

Direct references are intended to indicate the token by its location. Usually if will be a dereferencible remote or local URL. If not, it will be some kind of well understood URI, which lets you "find" the token. It will usually not be related to the content of the Token. Therefore, different references may point to copies of the same token and as the token moves around the net or appears in different messages, its references may change.

A Key Identifier is intended to be some identifier that appears within the token and is unique to the token or its key. Usually it will be under the signature of the issuer. It may or may not be a URI, but its value will always be the same for the same token.

A Key Name is an identifier that refers to the subject of the token. There may be a many to many relationship between the subject, token and its keys.

Since we have largely deprecated the use of Key Name, then if we are going to use direct references for things like License Id, IssuerSerial and Assertion Id, they we might as well drop the use of Key Identifier and Key Name entirely and just use direct references for everything.

Hal