[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Moving subjects up to assertions
On 9 March, Reid, Irving writes: RE: [security-services] Moving subjects up to assertions > > From: Scott Cantor [mailto:cantor.2@osu.edu] > > ... > > I would then add language to the spec for the existing three > > statement types > > plus any future subject-based statement extensions that basically says > > something like: > > > > "An assertion containing such a statement MUST contain a > > <Subject> element > > as defined by sec. XX. If a <Subject> is not provided, then any such > > statements are invalid and MUST be ignored. This <Subject> > > element applies > > to all such statements in the assertion. Any other statements > > MUST define > > their relationship to the <Subject> element, if any." > > > > Wordsmithed as need be, but that's the gist. > > I'm not sure we need to be quite this strong. Based on previous discussions, I suspect XACML would like to have AttributeStatement elements without subjects. I don't have any problem with requiring a Subject in an AttributeStatement. The Subject of a given AttributeStatement is just the entity bound to the Attribute. Such a SAML Subject might map to an XACML Subject, Resource, or Action, depending on the actual identity of the Subject. In other words, "Subject" in an AttributeStatement, and "Subject" in an XACML Request or Policy have different purposes. I also don't feel terribly strongly about having an optional Subject in all SAML Assertions. XACML just would not use the Subject in our XACMLAuthorizationDecisionStatement or XACMLPolicyStatement Response/Assertion. So long as we are not forced to have a SAML Subject, XACML can probably live with the result. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]