Subject: Comments on Core 13 & Profiles 08 around SubjectConfirmationData
Additional authentication information to be used by a specific authentication protocol. For example, typical content of this element might be a <ds:KeyInfo> element as defined in the XML Signature Syntax and Processing specification [XMLSig], which identifies a cryptographic key.
In Section 3.2, Profiles 08 refers to various attributes on SubjectConfirmationData, e.g. NotOnOrAfter, NotBefore, etc
1) Core schema doesn't currently allow for these NotOnOrAfter & NotBefore (nor the others) attributes on SubjectConfirmationData, the schema for which is
<element name="SubjectConfirmationData" type="anyType" />
2) Logically, the attributes NotOnOrAfter and NotBefore seem inconsistent with the above definition for SubjectConfirmationData, i.e. they are conditions on the confirmation rather than data to be used for that confirmation.
3) What is the relation between these NotOnOrAfter and NotBefore attributes on SubjectConfirmationData and the attributes of the same name on the Condition element. What would it mean for an assertion to be valid for some interval (as defined by the times specifed in the Conditions element) but during which the Subject can't confirm itself (as specified by the times on the SubjectConfirmationData element)?