Re: [security-services] Moving subjects up to assertions (disregardfirst reply)

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 4 March, Eve L. Maler writes: Re: [security-services] Moving subjects up to assertions (disregard first reply)
 > But the best solution of all -- other than the one we agreed to and I've 
 > already implemented in the forthcoming core-07! -- is for us to respond 
 > to XACML's putative need for subject information that's different from 
 > ours.  We haven't heard of a use case for true freedom-from-subjects, 
 > only a (guessed) use case for subject information supplied in a form 
 > that's incompatible with ours.  I could easily make a 
 > SubjectAbstractType with nothing in it, then derive our familiar 
 > SubjectType from it.

XACML has two strong use cases.

1. XACML's Query and XACMLAuthorizationDecisionStatement are NOT
   tied to a Subject.  An XACML request may contain no Subject
   whatsoever!  The only requirement is that it contain a
   resource.  Any Subject information is weighted equally with
   any Resource or Action information.

2. XACML's XACMLPolicyStatement does not contain a Subject at all
   (it MAY refer to one or more Subject Attributes, but those may
   refer to many different subjects that might come in from
   different requests).

   This Statement has an issuer (the policy creator), but no
   Subject.  Yet I think it is squarely in the scope of SAML as a
   Security Assertion.

Anne

 > Anne?...
 > 
 > 	Eve
 > 
 > Scott Cantor wrote:
 > 
 > >>So, perhaps it should be called AuthenticationLocality?
 > > 
 > > 
 > > IIRC, the name was chosen because people got confused as to whether the
 > > address/hostname referred to the client, or a server. They still do in fact.
 > > I think SubjectLocality was a late compromise to try and clarify it. I think
 > > I suggested PrincipalLocality at one point, but Principal didn't show up in
 > > the schema anywhere, so people didn't want to add it late.
 > > 
 > > 
 > >>it does seem  like that would be most useful with SubjectConfirmation 
 > >>anyway. Is there another use for SubjectLocality BTW? Does it matter
 > >>whether it's in the authentication statement or at the assertion level?
 > >>Could it not relate to other (Subject)Statements?
 > > 
 > > 
 > > I suppose one could argue it's a special case that maybe belongs solely as
 > > bearer confirmation data. I don't personally have any other use for it, and
 > > even that use is pretty minimal since more and more people are stuck behind
 > > NATs.
 > > 
 > > -- Scott
 > -- 
 > Eve Maler                                        +1 781 442 3190
 > Sun Microsystems                            cell +1 781 354 9441
 > Web Products, Technologies, and Standards    eve.maler @ sun.com
 > 
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692