On 8/17/11 8:22 PM, "Sam Hartman" <[email protected]> wrote: > >I'm confused: I thought an assertion was a kind of statement.
An assertion is (most of the time) a set of zero or more statements by an issuer about a subject. If they're attribute statements, all the statements are essentially just the same thing, and the attributes they contain can be pooled together. The syntax of multiple statements is notational, but there are no semantics to having 3 attributes in one statement and 2 in another. You wouldn't generally see it, and if you did, it doesn't mean anything different than one statement with 5 attributes. Multiple assertions by one issuer are therefore similarly poolable if they're referring to the same subject, apart from any distinct conditions they might have or other content that would limit or influence their validity. Multiple assertions by different issuers are of course a wholly different animal. That means exactly the messy, complex thing you would expect it to mean. One of the important things is to determine whether all the assertions, if there can in fact by more than one, must all refer to the same principal. And if they do, does that imply that all the Subjects must be identical? Or is the surrounding protocol providing a guarantee that whatever identifiers appear in the subjects, even if different, refer to the same principal. Some people will argue strongly that unless the Subjects match identically, it's impossible for a relying party to treat them as referring to one principal. I don't share that view, I think that's something that can be defined by the protocol as a whole. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
