OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Moving subjects up to assertions(disregardfirst reply)

> Eve started this thread with the (dangerous, in my opinion 
> :-) speculation that XACML might still need assertions with 
> no SAML-style subject, because their subjects look so different.

It's not really speculation, assuming the end-game is embedding an
unmodified XACML element in an assertion. Unmodified being the key word in
that sentence. Clearly when we originally told them "hey, just extend
statement" it never occurred to me we'd be separately toying with this
degree of change to SAML...
> 1) make the SAML subject extensible enough to handle XACML subjects

I'm not so sure it isn't (Subject contains at least two anyType's at this
point!), but the issue is the decomposition of the XACML object, I suppose.

> What I want is:
> <sequence>
>   <subject>
>   <choice maxOccurs="unbounded">
>     <statement types, none of which contain any traces of our 
> old subject-related elements>
>   </choice>
> </sequence>

Right. My suggestion was that whatever we do, we try and preserve that by
not mixing it with something else, and not creating a second kind of
assertion. Having a mutually exclusive fork within <Assertion> seemed the
best "bad" solution.
> Hey - I just had another thought: SubjectLocality is really a 
> *subject confirmation method*, and should be schemad as such.

Hmm, sometimes maybe. I could see defining a bearer method that includes it.
Maybe you were just joking? ;-)

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]