Shibboleth Developers

[Noah Levitt <>]

On Thu, Jun 03, 2004 at 18:40:24 -0400, Scott Cantor wrote:
> > One thing we need to decide initially is whether the target
> > will use this same document to make authorization decisions.
> > If not, much of the information will have to be duplicated,
> > and the information available to the arp gui will be
> > unnecessarily limited, so I suggest that we do use it.
> 
> I think that's ultimately going to be a mistake. Authorization is really,
> really complex, and I think is best left separate from a basic expression of
> "what I want you to send me", which is the only thing the contract
> represents.

In the arp gui discussions we've been assuming that the arp
gui can figure with some certainty out whether a user is
going to get access to a particular resource, which demands
all of this detail.

> 
> Yes, it's duplication in some ways, but if it really matters, then one can
> always generate both out of the same source of data.

In what ways is my xml insufficient to _be_ the source data?

Are we planning to continue using .htaccess in 1.3, or will
that change? If it's going to change, what did you have in
mind as a replacement?

Noah