OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Moving subjects up to assertions (disregardfirst reply)

Anne Anderson wrote:
> XACML has two strong use cases.

It sounds like Anne and I should get together offline (considering we're 
in the same building :-) so I can go over the XACML schemas with her as 
a guide.  I can bring the results to the focus call on Tuesday.

> 1. XACML's Query and XACMLAuthorizationDecisionStatement are NOT
>    tied to a Subject.  An XACML request may contain no Subject
>    whatsoever!  The only requirement is that it contain a
>    resource.  Any Subject information is weighted equally with
>    any Resource or Action information.

As the core draft stands now, SAML can handle queries that contain no 
subjects; you would derive your Query element from RequestAbstractType.

As for statements that have optional subjects...

> 2. XACML's XACMLPolicyStatement does not contain a Subject at all
>    (it MAY refer to one or more Subject Attributes, but those may
>    refer to many different subjects that might come in from
>    different requests).
> 
>    This Statement has an issuer (the policy creator), but no
>    Subject.  Yet I think it is squarely in the scope of SAML as a
>    Security Assertion.

We certainly allowed for this in SAML V1.x, and we were trying to figure 
out whether anyone depended on subjectless statements/assertions in 
order to remove that feature from SAML V2.0.  In both these cases, it 
sounds like the subject is essentially "anyone", as in "Anyone who 
satisfies these criteria is allowed to access resource R" or "This 
policy covers anyone with these attributes".

If this is the case, then semantically it's not like there's no subject 
at all, but the <saml:Subject> element doesn't suffice for conveying the 
intent (and the absence of subject data does a nice job of conveying 
it).  I'm not proposing a solution yet, just trying to understand the 
problem...

	Eve
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]