[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Moving subjects up to assertions (disregard first reply)
Don't know if this helps, but it just struck me from following this thread that part of the problem with the terminology here is that Subject really seems to mean Security Principal (human or system entity), and while most Assertions are about Principals, some are about other things (subjects which are not Principals, such as Resources or Policies). So, I would contend that there are no "subject-less" Assertions (lower case intentional here to refer to the part of speech not the SAML schema element), but there *are* Assertions about subjects other than Principals. I wonder if it's possible to resolve this issue using a URI attribute on Subject to indicate what sort of subject we're talking about? Every subject will still need to be named somehow, so I think NameIdentifier applies universally. SubjectConfirmation probably only applies to subjects that are Principals, but I'm not sure. -Greg On Mar 4, 2004, at 12:31 PM, Eve L. Maler wrote: > Anne Anderson wrote: >> XACML has two strong use cases. > > It sounds like Anne and I should get together offline (considering > we're in the same building :-) so I can go over the XACML schemas with > her as a guide. I can bring the results to the focus call on Tuesday. > >> 1. XACML's Query and XACMLAuthorizationDecisionStatement are NOT >> tied to a Subject. An XACML request may contain no Subject >> whatsoever! The only requirement is that it contain a >> resource. Any Subject information is weighted equally with >> any Resource or Action information. > > As the core draft stands now, SAML can handle queries that contain no > subjects; you would derive your Query element from > RequestAbstractType. > > As for statements that have optional subjects... > >> 2. XACML's XACMLPolicyStatement does not contain a Subject at all >> (it MAY refer to one or more Subject Attributes, but those may >> refer to many different subjects that might come in from >> different requests). >> This Statement has an issuer (the policy creator), but no >> Subject. Yet I think it is squarely in the scope of SAML as a >> Security Assertion. > > We certainly allowed for this in SAML V1.x, and we were trying to > figure out whether anyone depended on subjectless > statements/assertions in order to remove that feature from SAML V2.0. > In both these cases, it sounds like the subject is essentially > "anyone", as in "Anyone who satisfies these criteria is allowed to > access resource R" or "This policy covers anyone with these > attributes". > > If this is the case, then semantically it's not like there's no > subject at all, but the <saml:Subject> element doesn't suffice for > conveying the intent (and the absence of subject data does a nice job > of conveying it). I'm not proposing a solution yet, just trying to > understand the problem... > > Eve > -- > Eve Maler +1 781 442 3190 > Sun Microsystems cell +1 781 354 9441 > Web Products, Technologies, and Standards eve.maler @ sun.com > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security-services/ > members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]