Shibboleth Developers

> If you mean b, it seems like something you could implement on top of an
> AA if you had a way to collect a set of users by some criteria and then
> set an ARP for all of them at once.
>
> Probably you want to keep default/admin ARPs pretty non-user specific.

yes, I meant b. I can keep hunting, and try to come up with a 
specific scenario....

but, the general description of the situation I'm now worried about 
is "a set of criteria is used to determine whether a specific ARP 
applies to the browser user; a second set specifies the set of 
attributes and values that are released". This actually sounds to me 
a lot like the scenario we were using when describing "dynamic 
attributes" (ie attributes generated by some plugin, after it did 
some policy algebra). The policy algebra might be complex, and the 
target site didn't want to assume the responsibility for the 
computation. Additionally, the origin side didn't want to release all 
the attribute values required for the computation. So..... the 
"generated attribute value" is different from all the attributes used 
in the policy algebra computation. And maybe I'm describing an 
attempt to provide a "general" mechanism to do this... and 
over-reaching. Maybe I'm creating a GUI requirement for the AA, when 
this was previously discussed, and we decided the site would have to 
do some programming in the AA in order to accomplish this.
--

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--