Re: [security-services] Proposed clean up on subject text

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 11/11/2004, 9:34 PM:

 > To wrap up that thread on describing the two options for Subject content
 > (the one Rob, Ron, Conor, me, etc. presented text for), here's a small
 > modification to Rob's text that adds Ron's clarification:
 >
 > "A <Subject> element can contain both an identifier and zero or more
 > subject
 > confirmations which a relying party can verify when processing an
 > assertion.
 > Once any subject confirmations are verified, the relying party can
 > treat the
 > entity presenting the assertion as the entity that the SAML authority
 > associates with the name identifier and the claims in the assertion.


I still think this too strongly indicates that the claims and the
name identifier are about the confirming entity.  In many cases this
will not be the case (the claims and the identity is about a user
and the confirmation is about an entity that can use the assertion
in a transaction).  The two entities (user and presenter) are very
different entities to the Authority.

I also think we should call out what it means if there are no
confirmations in the <Subject> (e.g. it is considered confirmed
by presentation).

How about something along the lines of:

    A <Subject> element can contain both an identifier and zero
    or more subject confirmations which a relying party can verify
    when processing an assertion.  If there are no subject
    confirmations, or if any one of the listed subject confirmations
    are verified, the relying party can treat the entity presenting
    the assertion as an entity that the SAML authority has
    associated with the entity identified in the name identifier
    (which may or may not be the same entity).

I don't think we need to bring in the claims at this point.  The claims
are always about the name identifier (if present).

Conor