RE: [imi] Issue regarding AppliesTo content

["Scott Cantor" <cantor.2@osu.edu>]

> Scott, as you pointed out, your proposal is actually an instance of a more
> general facility that would let a Relying Party provide a
WS-SecurityPolicy
> document via an object tag.

I was under the impression that was already possible, but now that I look
closer, I see it's the issuer's policy you can point to, not the RP's
policy. I would agree, that's a problem.

But my personal feeling is that WS-SecurityPolicy is too complex to catch on
amongst the majority of RP sites. Having a way to expose some of the more
critical features that would ordinarily require a policy document would be
useful.
 
> I'm sympathetic to this possibility (I know
> that Microsoft and others have talked about implementing this at some
> point), but I know of no implementations.  Despite the capability being
> well-motivated, I'm reluctant to introduce a new feature into this
standard
> until we have experience from existing practice to draw upon.

That's what I'm doing. This issue came up almost immediately when we tried
to implement the profile. It's sloppy, though common, design to conflate
locations with names. Locations tend to change, and having to change policy
every time something changes location renders the system rather
unmanageable.

-- Scott