["Scott Cantor" <cantor.2@osu.edu>]

> Reading the profiles spec seems to suggest that 
> SubjectConfirmation is a means to "proxy" the "real" Subject?

What profiles spec? And no, it doesn't mean only that. It could mean that.

> However, the asserting party can add additional information to the
> assertion giving various third parties (attesting entities) 
> the right to "claim they are me"?

If a profile defines that. No such profile currently exists. The language
you're talking about is intended to *allow* a profile to do so. Nothing more
or less.

> i.e. in bearer in web sso:
> "The bearer of the assertion [The Browser] can confirm itself as the
> subject [Me]"

Right, and web sso is a profile.

> in holder of key, the asserting party is basically saying:
> 
> "anyone who holds the key or certificate identified in the
> SubjectConfirmationData can claim to be Subject" - subject to 
> conditions of course.

It means "associated" with the subject. Nothing more or less. Only the
profile can define what "associated" means.

> Does that mean that, say, SPa can sign something in the assertion ir got
> from IdP before passing it on to SPb and SPb can use the certficate/key in
> SubjectConfirmationData to verify that SPa indeed has the key identified
> in SubjectConfirmationData? If so, then SPb can assume that the attesting
> entity (SPa) has a relationship with the asserting party (IdP) via it's
> key, which is identified in SubjectConfirmationData?

A relationship, yes. You're jumping from that to being explicit about what
the relationship is. Only a profile of use can do that.

-- Scott