RE: [security-services] Does anyone create assertions with more than onesubject? (was RE: [security-services] Retracting earlier SubjectRef suggestion)

["Linn, John" <jlinn@rsasecurity.com>]

Scott writes, excerpting: 

>> I'd be happy to move a proposal to *completely remove* the 
>> subject from the Statement element, and have a single subject 
>> in each assertion. I believe that we fell victim to 
>> optimizing the 1-percent case when we moved the subject into 
>> the statement in the first place.
>
>That's certainly my view, but I wasn't sure how people felt about it. I
>would second such a motion.

I'd "third" the hypothetical motion to avoid multi-subject assertions,
unless a compelling functional requirement emerges therefor, though am
neutral about the precise representation involved.  This seems somewhat
(though not exactly) reminscent of X.509 certificates, where each of the
elements of issuers' and subjects' relative distinguished names can
themselves be multi-valued.  I think it's fair to state that this has
generally proven to be a facility that's provided more confusion than usage
or utility.  As recent discussions have demonstrated, complex SAML usage
scenarios can lead to complex trust implications.  These are important to
specify and understand clearly, in order to grasp the security properties of
the overall system.  I expect that it will be easier to analyze the
mainstream case, with a single subject per assertion, than to generalize in
order to allow a more complicated situation that may not be functionally
necessary.  If we can take this sort of simplification here, I think we
should. 

--jl