Skip to Content.
Sympa Menu

shibboleth-dev - RE: Multiple targets in a single domain?

Subject: Shibboleth Developers

List archive

RE: Multiple targets in a single domain?


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Jim Fox' <>
  • Cc:
  • Subject: RE: Multiple targets in a single domain?
  • Date: Wed, 30 Jun 2004 15:06:44 -0600
  • Organization: The Ohio State University

> I have heard many times this week that Ken, perhaps, would like
> to release his real identity to example.org/manage/, but not
> to example.org/browse/wild/site, and that shib allows this.
> Maybe I misunderstood.

Well, it's "allowed" in a technical sense, but that's because the target
design is rather able to link up just about all its settings in arbitrary
ways and make requests as different identities, etc. And because we don't
release attributes to physical machines, any more than an LDAP directory
does.

But that doesn't mean it makes sense in a privacy sense or that we think we
can possibly enforce in software whether two different SPs are actually
different hosts or are sharing data. We can't.

You're focusing on one (completely legit) avenue of attack, but I'm saying
the others are equivalent from the perspective of controlling attribute
release. That's why trusting an SP is really a manual step.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page