I've written this action as a new issue.

Title: Nested policy as a qualifying mechanism on an assertion is too general.  

Description:  WS-Policy allows a nested/embedded policy to be used to qualify an assertion.
This is too general, as anything can appear within a policy element including assertions that
have nothing to do with the parent assertion.

Note that WS-SecurityPolicy seems to recognize this and includes a note:
"Assertions from one domain SHOULD NOT be nested inside assertions from another domain. For example, assertions from a transaction domain should not be nested inside an assertion from a security domain. "  There is, however no definition of "domain" that I could find.
Further, the "Schemas" included in WS-SecurityPolicy specify which assertions can appear within the embedded policy.  But this does not work as the contents of the <wsp:Policy> element cannot change depending on the context in which it appears.
If the authors of WS-SecurityPolicy go to the trouble of specifying which assertions can appear within the embedded policy, why don't they simply specify these assertions as possible children of the parent assertion.

Target:  WS-Policy Framework

Proposal:  Instead of nested policies, allow assertions to be qualified by defining possible child elements for them.

All the best, Ashok

Received on Tuesday, 18 July 2006 12:20:28 UTC