Shibboleth Developers

["Michael A. Grady" <>]

My personal opinion is that building anything that encourages yet
another silo of hard-coded usernames is the antithesis of the thrust
of the Internet2 Middleware effort. And I'm going to disagree
with Scott here -- building this in is worse than building in nothing.


Parviz Dousti wrote:
> 
> --On Friday, March 29, 2002 5:28 PM -0600 "Michael A. Grady"
> <>
>  wrote:
> 
> >>   - Think of ACL as a set of uids.  Users who are in the ACL of and
> >>   object  can "insert" an object hanging off of that object.  e.g. if
> >> user foo is in  the ACL of SHAR object of my ARP,  foo can create a new
> >> RESOURCE object for  me.
> >>
> >
> > When you say a 'set of uids', I assume you are talking generically? E.g.
> > that a uid might actually represent a group, or 'self', or a DN from a
> > directory? You don't literally mean storing ACLs whose values are the
> > actual usernames?
> 
> I really don't want to implement a full fledge authorization system.  I
> specifically did not have groups in mind when I wrote that.  I like to have
> the notion of ACLs in the design and implement the minimum that would make
> this project useful at this time.  Of course we would make sure to make it
> easily expandable and can use an external authorization module.  I think
> time would tell how this system would be used and in which direction it
> would be expanded.
> 

--
Michael A. Grady                             

Senior Research Programmer                   http://ljordal.cso.uiuc.edu
Computing & Communications Services Office   (217) 244-1253  phone
University of Illinois at Urbana-Champaign   (217) 265-5635  fax
Rm. 103, MC 680, 2212 Fox Drive, Suite C     Champaign, IL 61820

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--