Re: [security-services] Moving subjects up to assertions (disregardfirst reply)

[John Kemp <john.kemp@nokia.com>]

ext Reid, Irving wrote:

> That's what this is all about. As far as we can tell, nobody actually
> needs the flexibility we currently have, and pretty well everybody
> agrees that the added complexity is a problem.
> 
> What I want is:
> 
> <sequence> <subject> <choice maxOccurs="unbounded"> <statement types,
> none of which contain any traces of our old subject-related elements>
>  </choice> </sequence>
> 
> If it doesn't have a subject, it's something else, not a SAML
> assertion.

In which case, I would agree with you. What *I* don't want to see is 
that we define two abstract statement types that are exactly the same, 
and then have this forked approach where either subject statements or 
non-subject statements appear in the assertion, but not both. And I 
don't like the idea of subject-less assertions vs. subject-ful 
assertions. That all seems odd to me.

And... SubjectLocality, in the AuthenticationStatement, kinda relates to 
a Subject - which would no longer be present in the statement itself. 
Again, that seems a bit strange.

If we're not going to do what Irving suggests (ie. assertions always 
contain a subject, and statements contain no other subject-related 
material), then I think we should leave things the way they are. If we 
really need assertions without subjects (and I'm not saying we do) then 
I think defining a container element for that is a better approach than 
the others suggested so far.

- JohnK