ComplexSubject clarification for incomplete info

[FragLegs]

In section 3.2.1 the SSE spec says

All members within a Complex Subject MUST represent attributes of the same Subject Principal. As a whole, the Complex Subject MUST refer to exactly one Subject Principal.

I read this to mean that when examining a new security event to determine whether it matches a subject that a receiver has added to the stream, the rule is that all of the attributes of the Complex Subject must match. That is, if the receiver added this subject:

{
    "device": {
        "format": "opaque",
        "id": "1234"
    },
    "application": {
        "format": "opaque",
        "id": "5678"
    }
}

Then in order for an event to be delivered on that stream, it must have both device 1234 and application 5678.

I have three questions:

1. Is the interpretation above correct? Or would an event that matches any of the attributes be delivered on the stream?
2. What happens if the event has more information than the ComplexSubject? That is, would an event with device 1234, application 5678, and user foo be delivered on this stream?
3. What happens if the event has less information than the ComplexSubject? That is, would an event with device 1234 and no application information be delivered on this stream?

We need to come to a consensus about these cases, and then I would suggest we should add enough details to the spec to make the answers clear to readers.

[tulshi]

• The multiple simple subjects within a complex subject all describe the same subject (i.e. it is an “AND” combination)
• If a Receiver adds a subject that is more specific than a subject in a successive event sent by the transmitter, then the event should be assumed to apply to the more general subject, without reference to what the Receiver added to the stream

[timcappalli]

call 2023-03-21: defer discussion until @tulshi and @FragLegs are on call

[FragLegs]

It was decided during the 2023-05-02 call that complex subject matching should work as follows:

For ComplexSubject A to match ComplexSubject B, at least one of the following conditions must be true for every field (i.e. user, group, device, etc) within the ComplexSubject:

1. ComplexSubject A's field is not defined
2. ComplexSubject B's field is not defined
3. ComplexSubject A's field exactly matches ComplexSubject B's field

I'll go ahead and enter this into the spec for clarification.

[tulshi]

@FragLegs , it sounds like this issue was addressed in the PR, so I'm closing it. Please re-open if this is not closed.