Re: [security-services] SubjectConfirmation errata

[Prateek Mishra <prateek.mishra@oracle.com>]

[Ron]

> IMV, an entity satisfying the confirmation method has been authorized 
> by the
>
>> assertion issuer to use (the identity of)  the subject of the assertion.
>>
>> IMV, if an additional identifier is present it  indicates that the 
>> assertion issuer has authorized
>> the attribution of this additional identifier to any entity that 
>> satisfies the confirmation method.
>>
>> As such, the presence of this additional identifier indicates that to 
>> the assertion issuer, the
>> attesting entity is different (by this additional attribute) from the 
>> subject.
>>
>> is that not sufficient?
>>
[\Ron]

Yes, it is sufficient. My message was a little digressive but I was 
actually trying to understand the following text from Scott:

[Scott]
"If the <SubjectConfirmation> element in an assertion subject contains an
identifier that is distinct from the identifier in the enclosing subject,
the issuer authorizes the attesting entity to wield the assertion on behalf
of that subject. A relying party MAY apply additional constraints on the 
use
of such an assertion at its discretion, based upon the identities of both
the subject and the attesting entity.

If an assertion is issued for use by an entity other than the subject, then
that entity SHOULD be identified in the <SubjectConfirmation> element."
[Scott]

The phrase "distinct from the identifier in the enclosing subject" is 
the source of the problem.

Do we really need it here?

- prateek