Re: [xacml] Change request to SAML...

[Anne Anderson <Anne.Anderson@Sun.com>]

On 3 September, Carlisle Adams writes: [xacml] Change request to SAML...
 > On the SAML call today, the following item was discussed:
 > 
 > >    - Standardize issuer name formats (request came from XACML)
 > > 
 > The people on the call felt that they needed a bit more clarification
 > regarding the concrete requirements for this.  They would also be happy to
 > receive any specific proposal for changes / additions to the spec to resolve
 > this, but they'd be OK with just the requirements if that's all the time we
 > have for over the next couple of weeks.
 > 
 > Anne:  this originally went from you to Eve Maler.  Would you be able to
 > write a short paragraph saying why XACML needs a SAML change in this area?
How does this look:

Currently, the "Issuer" in a SAML Assertion is an attribute of
type "string".

"Subject", however, is not just a "string", but can also include
"NameQualifier" and "Format" attributes.

If one wishes to associate the Issuer of an Assertion with other
Assertions about the Issuer (such as whether the Issuer is
authorized to make the first Assertion), or with Access Control
Policies about the Issuer, one needs to match "Issuer" and
"Subject" values.  Simple string matching is inadequate for
comparing various name formats used in enterprise environments
today, such as e-mail names and the X500 Distinguished Names used
in digital certificates.

Example: If the Issuer in Assertion A is "Anne.Anderson@Sun.COM",
it is not possible to match that value with a Subject of
"ANNE.ANDERSON@SUN.COM" in a corresponding Subject Assertion or
Access Control Policy statement unless one knows that the Format
of the Issuer name is an RFC822 Name, and thus case does not
matter.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692