OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Attribute's Issuer as string?


Hi,

I've just found another error both in Version 1.0 and the draft of Version 1.1:

Section 5.27:
<xs:attribute name="Issuer"        type="xs:anyURI"  use="optional"/>
should be
<xs:attribute name="Issuer"        type="xs:string"  use="optional"/>


Furthermore, I found the following sentence, which says that it must be compared by URI equality.

>> If the Issuer attribute is present in the attribute designator, then it MUST match, by URI equality, the Issuer of the same attribute.  

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


Anne Anderson <Anne.Anderson@Sun.com>

2003/07/10 05:03
Please respond to Anne.Anderson

       
        To:        Frank Siebenlist <franks@mcs.anl.gov>
        cc:        XACML TC <xacml@lists.oasis-open.org>
        Subject:        Re: [xacml] Attribute's Issuer as string?

       


Frank,

This is an inheritance from SAML, which defines Issuer as a
"string".  Clearly it is a rather primitive concept at this
point, and could use much more elaboration based on actual
implementation environments.  Yours is a good case.

Thanks,
Anne

On 9 July, Frank Siebenlist writes: [xacml] Attribute's Issuer as string?
> From: Frank Siebenlist <franks@mcs.anl.gov>
> To: XACML TC <xacml@lists.oasis-open.org>
> Subject: [xacml] Attribute's Issuer as string?
> Date: Wed, 09 Jul 2003 12:15:11 -0700
>
> The Attribute's Issuer is defined as a string, and I was wondering what the
> design rational was behind that choice.
>
> I was trying to see how you could take care of part of the path validation of an
> assertion in xacml.
>
> For example, you would only accept a certain attribute value if it was issued by
>    a subject that was a member of a certain group, or only by an issuer with a
> certain name only if that name was asserted by a certain identity issuer.
>
> I guess I was looking for an issuer type that would again be a subject with its
> own attributes.
>
> One alternative would be to chain different subjects in the Request together
> through a naming conventions that ties issuer's value to a subject's attribute
> value ... but that doesn't seem very elegant.
>
> Insight? Suggestions?
>
> Thanks, Frank.
>
>
> --
> Frank Siebenlist              franks@mcs.anl.gov
> The Globus Project - Argonne National Laboratory
>
>
> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php

--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]