Shibboleth Developers

["Scott Cantor" <>]

> My personal opinion is that building anything that encourages 
> yet another silo of hard-coded usernames is the antithesis of 
> the thrust of the Internet2 Middleware effort. And I'm going 
> to disagree with Scott here -- building this in is worse than 
> building in nothing.

We have to be careful in the design. As a matter of initial
implementation, I don't think what we're talking about is a problem, but
I very much agree that the design should accommodate pluggable "decision
resolution", if you will, so that authorization can rely on external
infrastructure if it exists.

If we're designing with objects, those objects should be able to tell
the AA who is authorized to use them. How they figure that out can be
overridden. If that's more or less what you were aiming at, we're not in
disagreement on that point.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--