Subject: Re: [xacml] Attribute's Issuer as string?
Anne, Thanks for the quick clarification. My old brain remembers now that I identified the same issue with SAML some time ago... Is a possible issuer's "enhancement" on the xacml 2.0 feature list? -Frank. Anne Anderson wrote: > Frank, > > This is an inheritance from SAML, which defines Issuer as a > "string". Clearly it is a rather primitive concept at this > point, and could use much more elaboration based on actual > implementation environments. Yours is a good case. > > Thanks, > Anne > > On 9 July, Frank Siebenlist writes: [xacml] Attribute's Issuer as string? > > From: Frank Siebenlist <email@example.com> > > To: XACML TC <firstname.lastname@example.org> > > Subject: [xacml] Attribute's Issuer as string? > > Date: Wed, 09 Jul 2003 12:15:11 -0700 > > > > The Attribute's Issuer is defined as a string, and I was wondering what the > > design rational was behind that choice. > > > > I was trying to see how you could take care of part of the path validation of an > > assertion in xacml. > > > > For example, you would only accept a certain attribute value if it was issued by > > a subject that was a member of a certain group, or only by an issuer with a > > certain name only if that name was asserted by a certain identity issuer. > > > > I guess I was looking for an issuer type that would again be a subject with its > > own attributes. > > > > One alternative would be to chain different subjects in the Request together > > through a naming conventions that ties issuer's value to a subject's attribute > > value ... but that doesn't seem very elegant. > > > > Insight? Suggestions? > > > > Thanks, Frank. > > > > > > -- > > Frank Siebenlist email@example.com > > The Globus Project - Argonne National Laboratory > > > > > > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php > -- Frank Siebenlist firstname.lastname@example.org The Globus Project - Argonne National Laboratory