RE: [security-services] Moving subjects up to assertions (disregardfirst reply)

[Scott Cantor <cantor.2@osu.edu>]

> So, perhaps it should be called AuthenticationLocality?

IIRC, the name was chosen because people got confused as to whether the
address/hostname referred to the client, or a server. They still do in fact.
I think SubjectLocality was a late compromise to try and clarify it. I think
I suggested PrincipalLocality at one point, but Principal didn't show up in
the schema anywhere, so people didn't want to add it late.

> it does seem  like that would be most useful with SubjectConfirmation 
> anyway. Is there another use for SubjectLocality BTW? Does it matter
> whether it's in the authentication statement or at the assertion level?
> Could it not relate to other (Subject)Statements?

I suppose one could argue it's a special case that maybe belongs solely as
bearer confirmation data. I don't personally have any other use for it, and
even that use is pretty minimal since more and more people are stuck behind
NATs.

-- Scott