attribute authorities (AAs) - how group membership is communicated for users who are members of subgroups of groups - and
relying parties (RPs) - how the same group information is parsed.
For a user who is member of a subgroup of a group, the implication is that they are also member of the parent group. Thus, it should not be necessary to assert
asserts the same information. The implication is that implementations MUST NOT use full string comparison alone to check whether the user is a member of snap (additionally, this example makes use of the rule that allows a list of one element to be replaced with that element)
The corollary is that RPs MUST do a prefix string match. E.g. in C,
This issue applies to
For a user who is member of a subgroup of a group, the implication is that they are also member of the parent group. Thus, it should not be necessary to assert
Instead, the statement
asserts the same information. The implication is that implementations MUST NOT use full string comparison alone to check whether the user is a member of
snap
(additionally, this example makes use of the rule that allows a list of one element to be replaced with that element)The corollary is that RPs MUST do a prefix string match. E.g. in C,
or in python 3.11,
In contrast, we would not suggest requiring regexp matching, as the configuration then becomes more complicated.
See also #10 and #24