[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Proposed glossary definition of 'Assertion'
Based on discussions with a few people at F2F2, I've put together a draft of what I think the SAML documents mean when they say 'assertion': Assertion: A datum that contains (a) The principal identity of the Asserting Party, (b) An identifier of the referent of the assertion, and (c) the claim being asserted. Assertions may also have Assertion Identifiers, and they may be signed by some authority (not necessarily the Asserting Party). Examples: 'cn=Colour Authority, o=company.com' asserts that 'cn=fred, ou=employees, o=company.com' is pink. 'cn=Authz Decision Point, o=companyA.com' asserts that 'cn=chris, ou=hangers-on, o=companyB.com' is allowed to read http://companyA.com/index.html at this instant And, though this might be out of scope, 'cn=Colour Authority, o=company.com' asserts that the SAML assertion with identifier {blob} is a pink assertion. 'cn=B2B Infrastructure, o=company.com' asserts that the document identified by URI http://company.com/B2B/purchase-orders/5551212, with SHA hash {blob}, was created by a representative of 'company.com' with authority for purchases up to 15 Canadian Dollars. The third and fourth examples are why the definition I propose says 'identifier of the referent' rather than something more specific like "principal identity of the subject". To those of you who say "Hey! That's an attribute certificate!" I say "Shh - if we don't say it too loud, the lurking dragons may not notice." - irving -
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC