Re: [security-services] Moving subjects up to assertions (disregard first reply)

[Greg Whitehead <grw@trustgenix.com>]

Don't know if this helps, but it just struck me from following this  
thread that part of the problem with the terminology here is that  
Subject really seems to mean Security Principal (human or system  
entity), and while most Assertions are about Principals, some are about  
other things (subjects which are not Principals, such as Resources or  
Policies).

So, I would contend that there are no "subject-less" Assertions (lower  
case intentional here to refer to the part of speech not the SAML  
schema element), but there *are* Assertions about subjects other than  
Principals. I wonder if it's possible to resolve this issue using a URI  
attribute on Subject to indicate what sort of subject we're talking  
about? Every subject will still need to be named somehow, so I think  
NameIdentifier applies universally. SubjectConfirmation probably only  
applies to subjects that are Principals, but I'm not sure.

-Greg

On Mar 4, 2004, at 12:31 PM, Eve L. Maler wrote:

> Anne Anderson wrote:
>> XACML has two strong use cases.
>
> It sounds like Anne and I should get together offline (considering  
> we're in the same building :-) so I can go over the XACML schemas with  
> her as a guide.  I can bring the results to the focus call on Tuesday.
>
>> 1. XACML's Query and XACMLAuthorizationDecisionStatement are NOT
>>    tied to a Subject.  An XACML request may contain no Subject
>>    whatsoever!  The only requirement is that it contain a
>>    resource.  Any Subject information is weighted equally with
>>    any Resource or Action information.
>
> As the core draft stands now, SAML can handle queries that contain no  
> subjects; you would derive your Query element from  
> RequestAbstractType.
>
> As for statements that have optional subjects...
>
>> 2. XACML's XACMLPolicyStatement does not contain a Subject at all
>>    (it MAY refer to one or more Subject Attributes, but those may
>>    refer to many different subjects that might come in from
>>    different requests).
>>    This Statement has an issuer (the policy creator), but no
>>    Subject.  Yet I think it is squarely in the scope of SAML as a
>>    Security Assertion.
>
> We certainly allowed for this in SAML V1.x, and we were trying to  
> figure out whether anyone depended on subjectless  
> statements/assertions in order to remove that feature from SAML V2.0.   
> In both these cases, it sounds like the subject is essentially  
> "anyone", as in "Anyone who satisfies these criteria is allowed to  
> access resource R" or "This policy covers anyone with these  
> attributes".
>
> If this is the case, then semantically it's not like there's no  
> subject at all, but the <saml:Subject> element doesn't suffice for  
> conveying the intent (and the absence of subject data does a nice job  
> of conveying it).  I'm not proposing a solution yet, just trying to  
> understand the problem...
>
> 	Eve
> --  
> Eve Maler                                        +1 781 442 3190
> Sun Microsystems                            cell +1 781 354 9441
> Web Products, Technologies, and Standards    eve.maler @ sun.com
>
>
> To unsubscribe from this mailing list (and be removed from the roster  
> of the OASIS TC), go to  
> http://www.oasis-open.org/apps/org/workgroup/security-services/ 
> members/leave_workgroup.php.