Shibboleth Developers

["Paul B. Hill" <>]

Hi Steve,


>I had always imagined EPPN as an attribute stored on my user object
>in the enterprise directory. The enterprise would assign it, and
>would guarantee its uniqueness. It would be persistent, remaining
>constant over long periods of time.

Since EPPN came up in conjunction with Middleware, I'm not surprised that
you think of it this way. But, I was working on some IETF standards that
needed such an identifier but did not assume the presence of a directory. I
pushed EPPN so that we'd have a consistent style of identifier with fairly
consistent naming conventions coming from multipile areas. I felt that it
would help resolve a few open problems.

>You seem to be describing a different scenario -- where EPPN is
>constructed dynamically, by distributed machines that may not be
>under enterprise control. And its an indication of the user's
>"current security context" (best phrase I could come up with on short
>notice -- let's not open the rathole of debating what that phrase
>means). Rather than a unique identifying string asserted about me by
>the enterprise.
>
>Seems to me to be two different "things". Paul, am I understanding
>you correctly?

Yes, they are two different "things" from one point of view, but also the
same "thing" from a different point of view. Using a consistent naming
scheme as a hook into a "security context" is attractive to some application
developers. If all of the application protocols refuse to specify a naming
convention we'll have even more difficulty in determining what should be put
into the directory ( or what should be generated on the fly.)

Paul

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--