Skip to Content.
Sympa Menu

shibboleth-dev - RE: Attributes, and Shibboleth -- entitlements

Subject: Shibboleth Developers

List archive

RE: Attributes, and Shibboleth -- entitlements


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Shibboleth Project'" <>, <>, <>
  • Subject: RE: Attributes, and Shibboleth -- entitlements
  • Date: Sat, 19 Jan 2002 16:29:37 -0500
  • Importance: Normal
  • Organization: The Ohio State University
> I've heard another comment about entitlement:
>
> -- the use of the urn:mace namespace (rather than the original
> proposal of urn:XSTOR5) will be a lot easier on info vendors, because
> they won't have to write an RFC to get their own namespace.

Yes, but they can always use URLs, and while I understand RLBob's points
about URNs, I don't have any personal problem with using URLs as a
convenience. Deployment is more important to me than elegance,
especially considering the use of w3c.org URLs as namespace names in
official specs. Disagree if you must, but it's a decided issue. But if
you want to delegate MACE URN space to them, that's fine too.

> The policy rule under Proposal 1 would look something like this:
>
> (SecurityDomain)(attribute value)
>
> and under Proposal 2 would look like this:
>
> (SecurityDomain)(attribute value)(attribute name)
>
> (again, see the other note). For all of the other attributes, I
> think we're at the point where the policy rule would look like
> Proposal 1. Which makes me begin to lean toward it.

Proposal 2 really looks like this:

(Namespace) (Name)

Security Domain may be involved in AAP processing to enforce what
namespaces can be asserted by what organizations, but the attribute
value is generally going to be empty.

And namespace is always going to be in the policy rule, since an
attribute name is never unique enough on its own.

So I'd say the starting point is something like:

(Namespace) (Attrib Name) (Security Domain) (Attrib Value)

In proposal 2, the last two are empty/irrelevant to access control
enforcement. In proposal 1, the namespace and attribute name are common
across these entitlements, while the value is where the meat is.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


Archive powered by MHonArc 2.6.16.

Top of Page