shibboleth-dev - XACML method of referencing X.500-defined attribute types
Subject: Shibboleth Developers
List archive
- From: "RL 'Bob' Morgan" <>
- To: Shibboleth Design Team <>
- Subject: XACML method of referencing X.500-defined attribute types
- Date: Thu, 13 Feb 2003 01:34:08 -0800 (PST)
We were talking the other day about a scheme by which X.500/LDAP attribute
types might be referenced as SAML attribute names in some systematic
unambiguous way, so each attribute type wouldn't have to be defined by
itself. I note that XACML makes a stab at this in lines 4413-4416 of
cs-xacml-core-01.pdf:
Where a suitable attribute is already defined in LDAP [LDAP-1, LDAP-2],
the XACML identifier SHALL be formed by adding the attribute name to the
URI of the LDAP specification. For example, the attribute name for
the userPassword defined in the rfc2256 SHALL be:
http://www.ietf.org/rfc/rfc2256.txt#userPassword
This is defined as applying at least to RFC 2256 is part of the LDAPv3
spec set, and RFC 2798, which is just an Informational doc ("not a
standard of any kind"), but does contain the inetOrgPerson attrs.
I'm not saying I am convinced this is the right approach, but it is a nice
compromise between the potential ambiguity of attr-type string descriptors
and the unfriendliness of OIDs.
- RL "Bob"
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- XACML method of referencing X.500-defined attribute types, RL 'Bob' Morgan, 02/13/2003
- RE: XACML method of referencing X.500-defined attribute types, Scott Cantor, 02/13/2003
Archive powered by MHonArc 2.6.16.