xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] Attribute's Issuer as string?
- From: Satoshi Hada <SATOSHIH@jp.ibm.com>
- To: Anne.Anderson@Sun.com
- Date: Thu, 10 Jul 2003 14:37:59 +0900
Hi,
I've just found another error both in
Version 1.0 and the draft of Version 1.1:
Section 5.27:
<xs:attribute name="Issuer"
type="xs:anyURI" use="optional"/>
should be
<xs:attribute name="Issuer"
type="xs:string" use="optional"/>
Furthermore, I found the following sentence,
which says that it must be compared by URI equality.
>> If the Issuer attribute is
present in the attribute designator, then it MUST match, by URI equality,
the Issuer of the same attribute.
Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com
| Anne Anderson <Anne.Anderson@Sun.com>
2003/07/10 05:03
Please respond to Anne.Anderson
|
To:
Frank Siebenlist <franks@mcs.anl.gov>
cc:
XACML TC <xacml@lists.oasis-open.org>
Subject:
Re: [xacml] Attribute's Issuer as string?
|
Frank,
This is an inheritance from SAML, which defines Issuer as a
"string". Clearly it is a rather primitive concept at this
point, and could use much more elaboration based on actual
implementation environments. Yours is a good case.
Thanks,
Anne
On 9 July, Frank Siebenlist writes: [xacml] Attribute's Issuer as string?
> From: Frank Siebenlist <franks@mcs.anl.gov>
> To: XACML TC <xacml@lists.oasis-open.org>
> Subject: [xacml] Attribute's Issuer as string?
> Date: Wed, 09 Jul 2003 12:15:11 -0700
>
> The Attribute's Issuer is defined as a string, and I was wondering
what the
> design rational was behind that choice.
>
> I was trying to see how you could take care of part of the path validation
of an
> assertion in xacml.
>
> For example, you would only accept a certain attribute value if it
was issued by
> a subject that was a member of a certain group, or only
by an issuer with a
> certain name only if that name was asserted by a certain identity
issuer.
>
> I guess I was looking for an issuer type that would again be a subject
with its
> own attributes.
>
> One alternative would be to chain different subjects in the Request
together
> through a naming conventions that ties issuer's value to a subject's
attribute
> value ... but that doesn't seem very elegant.
>
> Insight? Suggestions?
>
> Thanks, Frank.
>
>
> --
> Frank Siebenlist franks@mcs.anl.gov
> The Globus Project - Argonne National Laboratory
>
>
> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]