shibboleth-dev - RE: Attributes, and Shibboleth -- the EPPN swamp
Subject: Shibboleth Developers
List archive
- From:
- To: "'Shibboleth Project'" <>, <>, <>
- Subject: RE: Attributes, and Shibboleth -- the EPPN swamp
- Date: Wed, 23 Jan 2002 12:32:37 -0500
I had originally suggested the EPPN to handle a couple of situations.
One, so that it could be used as a SASL Authorization identifier (the SASL
spec and most other specs that are using SASL today tend to skip over the
naming issue when talking about this identifier.)
Two, not all domains have a single namespace. Some sites may still be using
local password files, so the RHS may actually specify an individual machine.
E.g.
might not be the same as
.
In
this case if the "unique identifier" was created by the receiving
application server it is difficult to determine what the behavior should
actually be. (Is the receiver going to know that the fully qualified machine
name should be on the RHS or will it just used to DNS domain name?)
Three, I felt that the RHS should be specified by the originator, nopt the
application server, so that the identifier could travel through one or more
servers without getting mangled. By servers in this context I am including
proxy servers, n-tier systems, relay servers, fanout systems, etc.
I had always imagined EPPN as an attribute stored on my user object in the enterprise directory. The enterprise would assign it, and would guarantee its uniqueness. It would be persistent, remaining constant over long periods of time.
You seem to be describing a different scenario -- where EPPN is constructed dynamically, by distributed machines that may not be under enterprise control. And its an indication of the user's "current security context" (best phrase I could come up with on short notice -- let's not open the rathole of debating what that phrase means). Rather than a unique identifying string asserted about me by the enterprise.
Seems to me to be two different "things". Paul, am I understanding you correctly?
--
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- Attributes, and Shibboleth -- the EPPN swamp, Steven_Carmody, 01/18/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Scott Cantor, 01/19/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, David L. Wasley, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Scott Cantor, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Paul B. Hill, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Steven_Carmody, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Paul B. Hill, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, David L. Wasley, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, RL 'Bob' Morgan, 01/24/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, RL 'Bob' Morgan, 01/25/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Scott Cantor, 01/25/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, RL 'Bob' Morgan, 01/25/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, RL 'Bob' Morgan, 01/24/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, David L. Wasley, 01/25/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, RL 'Bob' Morgan, 01/28/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Steven_Carmody, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Paul B. Hill, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Scott Cantor, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, David L. Wasley, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Steven_Carmody, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, David L. Wasley, 01/23/2002
- RE: Attributes, and Shibboleth -- the EPPN swamp, Scott Cantor, 01/19/2002
Archive powered by MHonArc 2.6.16.