[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Moving subjects up to assertions (disregardfirst reply)
ext Reid, Irving wrote: > That's what this is all about. As far as we can tell, nobody actually > needs the flexibility we currently have, and pretty well everybody > agrees that the added complexity is a problem. > > What I want is: > > <sequence> <subject> <choice maxOccurs="unbounded"> <statement types, > none of which contain any traces of our old subject-related elements> > </choice> </sequence> > > If it doesn't have a subject, it's something else, not a SAML > assertion. In which case, I would agree with you. What *I* don't want to see is that we define two abstract statement types that are exactly the same, and then have this forked approach where either subject statements or non-subject statements appear in the assertion, but not both. And I don't like the idea of subject-less assertions vs. subject-ful assertions. That all seems odd to me. And... SubjectLocality, in the AuthenticationStatement, kinda relates to a Subject - which would no longer be present in the statement itself. Again, that seems a bit strange. If we're not going to do what Irving suggests (ie. assertions always contain a subject, and statements contain no other subject-related material), then I think we should leave things the way they are. If we really need assertions without subjects (and I'm not saying we do) then I think defining a container element for that is a better approach than the others suggested so far. - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]