Shibboleth Developers

[Tom Scavo <>]

On Thu, 3 Mar 2005 18:44:32 -0600, Von Welch 
<>
 wrote:
> 
>  You are correct in your understanding that the Grid Service would
> need to be listed in the ARP and I agree adding that to our profile
> would help.

ARPs are a deployment tool not a profile consideration, so yes, we
should address this issue in the GridShib deployment documentation. 
On the other hand, the profile should specify security considerations,
which currently we do not do.

Thomas' point is well taken, however.  We must mitigate the
possibility that a grid service could request attributes for any user.
 Perhaps there is some comfort in the fact that the DN in the proxy
cert is short-lived, so if we make sure that the DN binding at the IdP
expires along with the proxy cert, this is good enough.

As Thomas suggests, if we can solve the pseudonymous GridShib use
case, this problem goes away.

>  > Shibbolizing Grid and LionShare services that way

Remember, GridShib and LionShare are different in that a LionShare
peer pushes attributes.  In the case of LionShare, user policy is
ignored since the user is requesting its own attributes.

Up to now, GridShib hasn't seriously considered attribute push.  We
should.  It solves a bunch of problems simultaneously..

> >  would require the
>  > availability of end-user tools with which a user would be able to
>  > configure his/her user specific ARP easily.
> 
> I believe all the ARP management tools I've seen are mean to be run by
> the IdP admin. Do any user tools exist?

I've seen a detailed specification and know of at least two people who
have or are working on this.  Don't know the current status, however. 
(Steven Carmody would know.)

Tom