Relationship of VSA's `resourceUri` with the attestation `subject`

[adityasaky]

The artifact a VSA applies to is identified using the resourceUri in the attestation predicate (per https://slsa.dev/spec/v1.0/verification_summary#fields). Should the VSA spec add guidance about how resourceUri is related to entries in the attestation's subject field? A subject can have its own uri as well, should this match?

Alternatively, should we deprecate resourceUri in favor of subject? This would be consistent with how we treat provenance for artifacts AIUI. This would also enable generating a single VSA when verifying multiple artifacts against the same policy.

[TomHennen]

I suppose if it's causing confusion we should definitely say something.

In our usage the subject.uri field has no relation whatsoever to the resourceUri. Users are free to have the subject.uri set to whatever they like.

I'd prefer we not replace resourceUri with subject.uri. I seem to remember this being discussed to quite some extent before, but I cannot find the discussion. If we want we can document that rationale.