Karl Czajkowski wrote:
I don't disagree that user credentials will be important for many jobs. However, I disagree that a type and semantics-free UserCredential field, as in the current draft, actually helps.
I think I can agree with that (and I like your motivating examples). But there is a way forward. We can drop the UserCredential element itself but instead allow a sequence of SAML assertions or assertion references. This is a clearly defined (if large) standard and so using it would be a good thing. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security In particular, the SAML <AssertionIDRef> <AssertionURIRef> <Assertion> and <EncryptedAssertion> elements (of SAML 2.0) seem to cover just about any use case I could possibly think of *except* hand-authoring the whole document, but that isn't really something you'd want to do anyway when working with such things. Instead, the first software agent to handle the JSDL document would probably set all that up. If you're trawling the SAML spec, I focussed on saml-core-2.0-os.pdf and especially on Section 2. A separate issue is whether the SAML assertions would be best structured under the User element. Possibly not... Donal.