[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Moving subjects up to assertions (disregardfirst reply)
Anne Anderson wrote: > XACML has two strong use cases. It sounds like Anne and I should get together offline (considering we're in the same building :-) so I can go over the XACML schemas with her as a guide. I can bring the results to the focus call on Tuesday. > 1. XACML's Query and XACMLAuthorizationDecisionStatement are NOT > tied to a Subject. An XACML request may contain no Subject > whatsoever! The only requirement is that it contain a > resource. Any Subject information is weighted equally with > any Resource or Action information. As the core draft stands now, SAML can handle queries that contain no subjects; you would derive your Query element from RequestAbstractType. As for statements that have optional subjects... > 2. XACML's XACMLPolicyStatement does not contain a Subject at all > (it MAY refer to one or more Subject Attributes, but those may > refer to many different subjects that might come in from > different requests). > > This Statement has an issuer (the policy creator), but no > Subject. Yet I think it is squarely in the scope of SAML as a > Security Assertion. We certainly allowed for this in SAML V1.x, and we were trying to figure out whether anyone depended on subjectless statements/assertions in order to remove that feature from SAML V2.0. In both these cases, it sounds like the subject is essentially "anyone", as in "Anyone who satisfies these criteria is allowed to access resource R" or "This policy covers anyone with these attributes". If this is the case, then semantically it's not like there's no subject at all, but the <saml:Subject> element doesn't suffice for conveying the intent (and the absence of subject data does a nice job of conveying it). I'm not proposing a solution yet, just trying to understand the problem... Eve -- Eve Maler +1 781 442 3190 Sun Microsystems cell +1 781 354 9441 Web Products, Technologies, and Standards eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]