OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Use of Assertion Specifier was: Multiple subjects in SAML assertions

> While I'm debating the content of the <Subject> element, I 
> also dislike the
> <AssertionSpecifier> element. The intended semantics of this 
> element are:
> The assertion containing the <AssertionSpecifier> subject 
> element applies to
> exactly the same subject as the assertion referred to by the
> <AssertionSpecificer>. If this is really what we want, why 
> not just copy the
> <Subject> element from the referent into the new assertion, 
> rather than
> putting in the <AssertionSpecifier>. With the existing schema 
> and semantics,
> we're forcing the relying party to find the other assertion 
> just to copy its
> <Subject>.
> The other reason I don't like <AssertionSpecifier> is that it 
> will confuse
> people into thinking that one assertion can have another 
> assertion as its
> subject, rather than our intended "copy-the-subject" semantics.

There is a discussion of some of the possible reasons for using Assertion
Specifier in the Issues List under [DS-1-04: AssnSpecifiesSubject].

I think the issue of incorrect interpretation of SAML Assertions applies to
many features, not just this one. I expect the specification to clearly
document the semantics of various assertion elements and relying parties who
make up their own do so at their own risk.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC