Simon,
I think we are on the same wavelength (I used the term HP since Joe
and Nigel had advanced similar arguments).
In the case that the authorization needs to go down to the element
level etc., I would see that as a matter for XPATH and XPOINTER (whatever).
In fact looking at some of the dot.net stuff the boundary between
the document and contents can become blurred. One could specify an
individual element within the document:
http:\\...\document.html\Body\H1 (or some such)
Provided the issuer and relying party both agree on what the
interpretation of the URI should be we get interoperability.
Equally if someone wanted to implement the RE based matching I
described earlier there would be nothing to stop them, however I don't think
we want to insist that every SAML application implement full RE matching.
One way to support this is through the respond element:
<Respond>Wildcard</Respond>
<Respond>urn:47598q75987:Regular-Expressions</Respond>
And so on...
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
>