Shibboleth Developers

[Scott Cantor <>]

> hmmm...  so currently the HS provides a "hard to guess, secret value" 
> to the target, and the target  uses this to refer to a user, when 
> retrieving attributes......

Basically, yes. Mostly the AA is just a PKI-authenticated attribute service.
The handle obfuscation is not really an access control mechanism for data
release.

> if the target doesn't have such a value, but does have publicly 
> available information (eg a userid, a cert), is there a technical 
> solution the AA can use to satisfy itself that this is a valid 
> request? Or does it have to rely on policy (ie I know this SHAR, and 
> it has agreed to behave....)

I don't think there's anything obvious. We *could* have chosen to include
the SSO assertion as proof of presence (maybe we'll do that if SAML
clarifies what you can really do with an SSO assertion), but taking that
away, I don't see much is left, unless you involve the client. If you get
the cert holder to sign something, then you've got proof of posession of a
public key you could match up. Without certs, you could do it with
Kerberos/GSS-API too, I suppose.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--