Hi,
I'm still confused about the need for "asserted" and "authenticated"
instead of simply "asserted". To an unsophisticated rulemaker they sound
the same. Do we have clear use cases for justifying being able to
distinguish between a 3rd party assertion and a home-grown assertion
(e.g., Digest authenticated username)? If not, these two can be folded
together.
But if the distinction between "asserted" and "authenticated" is needed,
then a better way is to add a 'strength' parameter to the <identity>
element, as Henning suggested.
That said, I would propose a slightly different construct where
<identity> is used for all identity-related matches:
<!-- Identity can match ordinary single identities -->
<identity>
<id entity="foobar@example.com" />
<id entity="foo@bar.com" />
</identity>
<!-- ...or use domain wildcards... -->
<identity>
<wildcard domain="example.com">
<except entity="joe@example.com" />
<except entity="alice@example.com" />
</wildcard>
</identity>
<!-- ...or the 'any-identity' which is really a global wildcard -->
<identity>
<any>
<except domain="foobar.com" />
</any>
</identity>
This seems a bit more logical compared to splitting them up, i.e., <id>
and <domain> under <identity> and <any-identity> as a separate condition.
Cheers,
Aki
ext Henning Schulzrinne wrote:
> Having two ways to do the same thing seems sub-optimal. This is already
> confusing enough. If anything, it would make sense to have a more
> orthogonal specification of identities and their strength, such as
>
> <identity strength="asserted">
> <id entity="foo@bar">
> </identity>
>
>
> Tschofenig, Hannes wrote:
>
>> hi henning,
>> the <any-identity> element is a condition element that matches any
>> authenticated and asserted identity.
>>
>> as an example, the following two rules (that are shown in ruleset (1))
>> are equivalent to rule, which uses the <any-identity> element, shown in
>> ruleset (2) :
>>
>> 1) WITHOUT <any-identity>:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <ruleset xmlns="urn:ietf:params:xml:ns:common-policy">
>>
>> <rule id="f3g44r2">
>> <conditions>
>> <identity/>
>> </conditions>
>> </rule>
>>
>> <rule id="f3g44r2">
>> <conditions>
>> <asserted/>
>> </conditions>
>> </rule>
>> </ruleset>
>>
>> 1) WITH <any-identity>:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <ruleset xmlns="urn:ietf:params:xml:ns:common-policy">
>>
>> <rule id="f3g44r2">
>> <conditions>
>> <any-identity/>
>> </conditions>
>> </rule>
>> </ruleset>
>>
>> with more complex rules (e.g., <any-identity/> with multiple
>> <except-domain> elements) it would be necessary to replicate them.
>> does this make more sense?
>> ciao
>> hannes
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Thu, 14 Jul 2005 14:20:01 +0300
This archive was generated by hypermail 2.1.8 : Thu Jul 14 2005 - 07:41:02 EDT