Clarification for subject matching criteria

[vic-08]

The Subject Matching criteria states that for Complex Subjects, two subjects match if, for all fields in the Complex Subject (i.e. user, group, device, etc.), at least one of the following statements is true:

1. Subject 1's field is not defined
2. Subject 2's field is not defined
3. Subject 1's field is identical to Subject 2's field

Given this example:

Subject 1:
{
  "format": "complex",
  "user": {
    "format": "email",
    "email": "bar@example.com"
  },
  "tenant": {
    "format": "iss_sub",
    "iss": "https://example.com/idp1",
    "sub": "1234"
  }
}

Subject 2:
{
  "format": "complex",
  "group": {
    "format": "did",
    "url": "did:example:123456"
  }
}

1. The "user" field statement 2 is true
2. The "tenant" field statement 2 is true
3. The "group" field statement 1 is true

This would lead to a match. We should consider requiring at least 1 field to be identical in subject 1 and 2 (i.e. statement 3 must be true for at least 1 field).