Re: [security-services] The multiple subject issue

[Stephen Farrell <stephen.farrell@baltimore.ie>]

Phill,

This is much better now. Coupla clarifying questions though
related to SubjectConfirmation:

1) If both NameIdentifier and SubjectConfirmation are present
does that mean that a relying party (for the containing assertion)
MUST/SHOULD/MAY check the s-c value as part of assertion validation?
core-25 seems to imply this is a MAY, but I'd rather it be 
explicit (I don't mind which is chosen really).

2) One 1)'s answered, then same question for the case where there's
only a SubectConfirmation. I guess a MUST might be more easily 
argued in this case?

3) Let s1 = <Subject><n-i=fred/></Subject> and
s2 = <Subject><n-i=fred/><s-c=fred-cert/></Subject> (i.e. s2
is s1 with the addition of a SubjectConfirmation). Now, when
do I consider s1=s2 and when not? E.g. if I send you an
AuthenticationQuery containing s1 and you send me back an
assertion containing s2, is that ok? In this case I've no 
suggested answer, since I don't believe I understand the
consequences well enough - maybe someone else does?

Finally, given that these questions arise, I guess I should
ask whether its really a good idea to couple the s-c stuff
with the Subject instead of including it elsewhere in the 
assertion or protocol constructs?

Stephen.


"Hallam-Baker, Phillip" wrote:
> 
> To try to clarify this issue, here is the schema as ammended during the con
> call 2 weeks ago:
> 
>         <element name="SubjectStatement"
> type="saml:SubjectStatementAbstractType"/>
>         <complexType name="SubjectStatementAbstractType" abstract="true">
>                 <complexContent>
>                         <extension base="saml:StatementAbstractType">
>                                 <sequence>
>                                         <element ref="saml:Subject"/>
>                                 </sequence>
>                         </extension>
>                 </complexContent>
>         </complexType>
> 
>         <element name="Subject" type="saml:SubjectType"/>
>         <complexType name="SubjectType">
>                 <choice>
>                         <sequence>
>                                 <element ref="saml:NameIdentifier"/>
>                                 <element ref="saml:SubjectConfirmation"
> minOccurs="0"/>
>                         </sequence>
>                         <element ref="saml:SubjectConfirmation"/>
>                 </choice>
>         </complexType>
> 
> A statement can have exactly ONE subject that may be desribed by a Name
> Identifier alone, OR a Name Identifier and subject confirmation OR a subject
> confirmation alone.
> 
> In the case of a name alone the subject confirmation is presumably out of
> scope, quite likely in an attribute statement.
> 
> In the case of subject confirmation alone the name may well be irrelevant.
> 
>                 Phill
> 
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
> 
> >

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com