[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Moving subjects up to assertions
On Tue, 9 Mar 2004, Reid, Irving wrote: > > "An assertion containing such a statement MUST contain a > > <Subject> element > > as defined by sec. XX. If a <Subject> is not provided, then any such > > statements are invalid and MUST be ignored. > > I'm not sure we need to be quite this strong. Based on previous > discussions, I suspect XACML would like to have AttributeStatement > elements without subjects. Really? To me this would be like having an LDAP entry without a DN. Attributes have to be attributes of something, and that something is the Subject. The Subject of an attribute statement doesn't have to be a Subject that could also be a Subject of an authentication statement. That is, if I want to make a statement with attributes about that doorknob over there, I can make a Subject expression identifying the doorknob. Is there really a use case for Subject-less attribute statements? > One could also build a sort of "hard anonymity" by profiling > AuthenticationStatements that have no Subject (perhaps Shib could use > this, rather than short-lived pseudonyms). Once again, this seems like reaching for a use case, when we do perfectly well with Subject-based mechanisms today. I think having Subjects be required for these statements is much more in line with the simplicity we're both in favor of. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]