Shibboleth Developers

[Scott Cantor <>]

> I have heard many times this week that Ken, perhaps, would like
> to release his real identity to example.org/manage/, but not
> to example.org/browse/wild/site, and that shib allows this.
> Maybe I misunderstood.

Well, it's "allowed" in a technical sense, but that's because the target
design is rather able to link up just about all its settings in arbitrary
ways and make requests as different identities, etc. And because we don't
release attributes to physical machines, any more than an LDAP directory
does.

But that doesn't mean it makes sense in a privacy sense or that we think we
can possibly enforce in software whether two different SPs are actually
different hosts or are sharing data. We can't.

You're focusing on one (completely legit) avenue of attack, but I'm saying
the others are equivalent from the perspective of controlling attribute
release. That's why trusting an SP is really a manual step.

-- Scott