OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Moving subjects up to assertions

On Tue, 9 Mar 2004, Reid, Irving wrote:

> > "An assertion containing such a statement MUST contain a
> > <Subject> element
> > as defined by sec. XX. If a <Subject> is not provided, then any such
> > statements are invalid and MUST be ignored.
> I'm not sure we need to be quite this strong. Based on previous
> discussions, I suspect XACML would like to have AttributeStatement
> elements without subjects.

Really?  To me this would be like having an LDAP entry without a DN.
Attributes have to be attributes of something, and that something is the
Subject.  The Subject of an attribute statement doesn't have to be a
Subject that could also be a Subject of an authentication statement.  That
is, if I want to make a statement with attributes about that doorknob over
there, I can make a Subject expression identifying the doorknob.  Is there
really a use case for Subject-less attribute statements?

> One could also build a sort of "hard anonymity" by profiling
> AuthenticationStatements that have no Subject (perhaps Shib could use
> this, rather than short-lived pseudonyms).

Once again, this seems like reaching for a use case, when we do perfectly
well with Subject-based mechanisms today.

I think having Subjects be required for these statements is much more in
line with the simplicity we're both in favor of.

 - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]