OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Multiple subjects in SAML assertions

During the 18 Sept. SSTC/Focus conference call, I raised an issue about the
fact that in the draft schema, <Subject> elements can contain an arbitrary
number of <NameIdentifier>, <SubjectConfirmation>, and <AssertionSpecifier>

<Subject> elements are used (at least) in Assertions and in SubjectQuery
protocol messages.

In the last published Core document,
the supporting text states that "If a <Subject> element contains more than
one subject specification the issuer is asserting that all the subject
specifications present specify the same subject."

For the rest of this message, I'll base discussion on the -19 schemas Phill
sent out in
there have not been substantive changes to the <Subject> element.

One of the reasons to allow multiple subject specifiers within the <Subject>
element is to allow for a <NameIdentifier> and a <SubjectConfirmation>, such
that the confirmation data and method corresponds to the NameIdentifier. The
current schema doesn't quite work for this, since there could be more than
one of each and there is no way to determine which <SubjectConfirmation>
applies to which <NameIdentifier>. Frankly, I think we need to re-think the
entire <SubjectConfirmation> issue, but that's for a different thread.

Another use for multiple subject specifiers was brought up by Phill on the
18 Sept. call. In this case, a single real-world entity has multiple digital
identities. For example, Phill might have separate private keys and
certificates on each of his laptops, his cellphone, PDA, and workstation. An
issuing authority may want to provide an assertion that applies to all those

For this case, Phill suggested that it might be OK to have the assertion
apply "jointly and severally" to all the subjects listed in the assertion,
with no implication that all the subjects somehow represent the same entity.

My main problem with all of this is that it opens a lot of questions about
how the relying party is supposed to behave when it gets assertions
containing multiple <NameIdentifier> elements.

For attribute assertions, it's not too difficult - as long as the relying
party starts with a single NameIdentifier, it can figure out which attribute
assertions apply. To me, this case is an optimisation - instead of an
authority generating a separate attribute assertion for each subject, it can
take a shortcut and generate a single assertion for a group of subjects that
all have the same attribute.

In the context of Web SSO applications, I'm more concerned about the
possibility of AuthenticationAssertions with more than one subject. As far
as I can tell, the relying party must now query for desired attributes for
all the subjects in the AuthnAssertion, and resolve possible conflicts
between those attributes. I don't want to spend the time in SSTC trying to
define the semantics of this before SAML 1.0; I think we have more important
things to do.

While I'm debating the content of the <Subject> element, I also dislike the
<AssertionSpecifier> element. The intended semantics of this element are:
The assertion containing the <AssertionSpecifier> subject element applies to
exactly the same subject as the assertion referred to by the
<AssertionSpecificer>. If this is really what we want, why not just copy the
<Subject> element from the referent into the new assertion, rather than
putting in the <AssertionSpecifier>. With the existing schema and semantics,
we're forcing the relying party to find the other assertion just to copy its

The other reason I don't like <AssertionSpecifier> is that it will confuse
people into thinking that one assertion can have another assertion as its
subject, rather than our intended "copy-the-subject" semantics.

So, my proposal is to drastically reduce the scope of the <Subject> element
so that, for SAML 1.0, it contains exactly one <NameIdentifier> and nothing
else. The <SubjectConfirmation> element should move into <Conditions>, and
probably be renamed. I'll start another email thread about that.

As far as I can tell, this satisfies all the use cases in the Use Cases and
Requirements document
pdf). We can make the <Subject> element extensible, so that we can add
alternatives when we work out clear semantics for them.

 - irving - 

The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

In addition, certain Marketing collateral may be added from time to time to 
promote Baltimore Technologies products, services, Global e-Security or 
appearance at trade shows and conferences.
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC