Shibboleth Developers

["Paul B. Hill" <>]

>Our different understanding is not whether an ePTID can ever change.
>The causes you mention are valid reasons to change an ePTID.
>However, absent some special agreement or action between the SP
>and IdP, I think an ePTID for a user to a particular SP has to be
>invariant, forever.

It sounds like we're talking about the difference between a MUST and a
SHOULD. 

Isn't the key point the authorization side effects? If a user's ePTID
changes, absent some out of band work between the SP and IdP, then the user
may subsequently be operating under a different set of the privileges.

If a change in the ePTID does not affect the user's privileges, the user
won't care, however, there may be cases where an auditor cares.

From this line of reasoning I think the invariance should be treated as a
SHOULD. A federation membership agreement or an agreement between an SP and
IdP could say that it is a MUST for their usage.

Paul