Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] discussion topic: default read/view privileges

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] discussion topic: default read/view privileges

Chronological Thread 
  • From: Nate Klingenstein <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] discussion topic: default read/view privileges
  • Date: Sat, 22 Jun 2013 03:48:03 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

The Shibboleth project has traditionally leaned towards secure defaults,
particularly for the identity provider. This was largely because we didn't
want to get publicly blamed for any breaches related to misconfiguration --
or at least to have a strong defense in the event it's happened.

There are a couple notable exceptions to this rule(e.g. SP not shipping with
cookies that are flagged secure) and we've tried to add WARNs to the logs in
those cases because we won't change defaults in a point release.

In my opinion the stricter default policies have served us well, especially
as our deployment base has grown.

I'd vote for changing this in the next major release, and until then,
documenting steps a deployer can take if security and privacy are concerns.

On Jun 22, 2013, at 3:36 , Chris Hyzer wrote:

> Anyways, what are the thoughts? Should this aspect of Grouper default to
> help security, or reusability (i.e. its easier to use/reuse groups if you
> can see and read them), or a hybrid (pick and choose folders)?

Archive powered by MHonArc 2.6.16.

Top of Page