RE: [security-services] Moving subjects up to assertions

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 9 March, Reid, Irving writes: RE: [security-services] Moving subjects up to assertions
 > > From: Scott Cantor [mailto:cantor.2@osu.edu] 
 > > ...
 > > I would then add language to the spec for the existing three 
 > > statement types
 > > plus any future subject-based statement extensions that basically says
 > > something like:
 > > 
 > > "An assertion containing such a statement MUST contain a 
 > > <Subject> element
 > > as defined by sec. XX. If a <Subject> is not provided, then any such
 > > statements are invalid and MUST be ignored. This <Subject> 
 > > element applies
 > > to all such statements in the assertion. Any other statements 
 > > MUST define
 > > their relationship to the <Subject> element, if any."
 > > 
 > > Wordsmithed as need be, but that's the gist.
 > 
 > I'm not sure we need to be quite this strong. Based on previous discussions, I suspect XACML would like to have AttributeStatement elements without subjects.

I don't have any problem with requiring a Subject in an
AttributeStatement.  The Subject of a given AttributeStatement is
just the entity bound to the Attribute.  Such a SAML Subject
might map to an XACML Subject, Resource, or Action, depending on
the actual identity of the Subject.

In other words, "Subject" in an AttributeStatement, and "Subject"
in an XACML Request or Policy have different purposes.

I also don't feel terribly strongly about having an optional
Subject in all SAML Assertions.  XACML just would not use the
Subject in our XACMLAuthorizationDecisionStatement or
XACMLPolicyStatement Response/Assertion.  So long as we are not
forced to have a SAML Subject, XACML can probably live with the
result.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692