The regular ResourceDescriptor marks digest as optional.

However the schema defines the subject field entries "MUST have digest ... Subject artifacts are matched purely by digest".

So it would seem that the subject entries are special resource descriptors.
And correspondingly, it probably would make sense to disallow content in subjects.
Is that a correct interpretation?

So it would seem that the subject entries are special resource descriptors.

I don't know what "special" means? It is adding an additional constraint. What is the problem you are having?

And correspondingly, it probably would make sense to disallow content in subjects.

No, I don't think that follows. If you want to inline the content if it's tiny, I'm not sure why that would be disallowed?

I agree, requiring the digest isn't mutually exclusive with having the content there. Also note that the resource descriptor spec allows use cases to define additional constraints: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md#fields

Though all fields are optional, a ResourceDescriptor MUST specify one of uri, digest or content at a minimum. Further, a context that uses the ResourceDescriptor can require one or more fields. For example, a predicate may require the name and digest fields. Note that those requirements cannot override the minimum requirement of one of uri, digest, or content specified here.

Ah OK, I didn't see (or more accurately, didn't understand :P) the provision "a context that uses the ResourceDescriptor can require one or more fields...".

Thanks for clarifying!