Skip to Content.
Sympa Menu

shibboleth-dev - RE: ARP ACLs and authorization

Subject: Shibboleth Developers

List archive

RE: ARP ACLs and authorization


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Michael A. Grady'" <>, <>
  • Subject: RE: ARP ACLs and authorization
  • Date: Sat, 30 Mar 2002 20:19:42 -0500
  • Importance: Normal
  • Organization: The Ohio State University

> My personal opinion is that building anything that encourages
> yet another silo of hard-coded usernames is the antithesis of
> the thrust of the Internet2 Middleware effort. And I'm going
> to disagree with Scott here -- building this in is worse than
> building in nothing.

We have to be careful in the design. As a matter of initial
implementation, I don't think what we're talking about is a problem, but
I very much agree that the design should accommodate pluggable "decision
resolution", if you will, so that authorization can rely on external
infrastructure if it exists.

If we're designing with objects, those objects should be able to tell
the AA who is authorized to use them. How they figure that out can be
overridden. If that's more or less what you were aiming at, we're not in
disagreement on that point.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page