security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Assertion level Subject
- From: "Conor P. Cahill" <concahill@aol.com>
- To: SAML <security-services@lists.oasis-open.org>
- Date: Sun, 19 Oct 2003 07:26:21 -0400
I hate to break up the ongoing parlay about the LA specs with real
work, but.....
The current SAML spec, as I understand it, has a subject contained
within each statement, allowing for different subjects in different
statements. While I have no problems with allowing for this, I do
have a problem with requiring this, especially when, at least in our
case, all statements within an assertion will have the same subject.
In fact, in every example that I have seen generated by others, the
subjects have been the same as well, so it isn't just me.
My issues with this are:
- Having
multiple copies of the exact same data elements in different locations
in a data structure is a bad design. Especially when these elements
contain identity critical data.
- It is
wasteful of bytes (yes, XML is big, but there's no reason for us to
make it even bigger).
- It requires
duplicative processing at the consumption point (as the contents of the
<Subject> get more complex, this becomes a significant issue --
for example, an encrypted identifier).
- In my
experience, this creates resistance to adoption when a developer who is
concerned about efficiency (which, IMHO, all should be to some extent)
looks at this and sees something that doesn't make sense to them. No
jokes about seeing efficency and XML in the same email!
Note that I am NOT
objecting to the possiblity for there being different subjects. I'm
sure there are reasonable use cases where that will come to be. I am
just saying that we should efficiently handle what I see as a common
use case.
So, I would like propose that we add an Assertion level <Subject>
that applies all statements without a statement level <Subject>.
Barring such a solution, my next suggestion would be to add a Subject
reference mechanism so that a statement could refer to the
<Subject> in another statement (but this feels like a kludge to
me).
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]