revise use of "ipAddress" for subjects

[tr33]

IP addresses belong to the network layer and may not be available to the PEP or may not affect many AuthZ decision requests. If the subject is identified through its IP address, then it should be the subjects "id" attribute.

Also, IPv6 addressing schemes can be rather complex and error-prone, due to multiple variations in syntax: eg. those are different variants of THE SAME ip address:

- fe80::AbCD:3:2:0001
- Fe80:0:0:0:abcd:0003:0002:0001
- Fe80:0:0:0:abcd:0003:0002:0001%eth1

Its horrid to implement a unification/syntax check on PDPs/PEP side.

recommendation:

• remove the "ipAddress" attribute until further specified.
• or define a dedicated structure with optional, freely defined attributes where an "ipAddress" can be defined as a custom attribute without further specification.

[baboulebou]

My only concerns about these Subject attributes is that they are geared towards human Subjects. A smart IoT device or a Web Service could also be Subjects. Seems to me that Subject could be a JSON object with whatever attributes make sense to the implementer. Just enforce an id and leave the rest open...