shibboleth-dev - RE: TargetedID Durability
Subject: Shibboleth Developers
List archive
- From: "David L. Wasley" <>
- To:
- Subject: RE: TargetedID Durability
- Date: Fri, 29 Jul 2005 15:16:55 -0700
- Domainkey-signature: a=rsa-sha1; q=dns; c=simple; s=test1; d=earthlink.net; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Subject:Content-Type; b=sM8v1vq0IpbvpGv0mlLrX5qiFtbwyBTZSjunz+XtuQsXGPN+cwJLoTPKZQUWqDmp;
At 5:30 PM -0400 on 7/29/05, Scott Cantor wrote:
....
Since one of the reasons for making changes is to "wipe" the slate clean at
an SP, it certainly isn't required in SAML that an SP know about it.
-- Scott
Yes - and that means the SPprovidedID should NOT be used if the IdP wants to offer Subjects the ability to change ePTIDs.
That said, I agree with Scott that some of this discussion is "policy" as opposed to "technology." However, the technology should not limit the options.
My perspective on this discussion and what at least one option should be:
1) Some SPs want a "persistent identifier" to use in an ACL. It should not be changed capriciously by the IdP. I see no need to change it at all except at the Subjects request.
2) The fundamental rule is that at least one type of ePTID must, by definition, never be assigned to a different physical person because otherwise it could violate an SP's ACL. (I believe this rule is the current ePTID rule...)
3) If an SP cares, it will find a way to associate an ePTID with a specific physical person and will simply (re)invoke it if it sees an ePTID it doesn't recognize. Presumably the Subject will understand why this is happening, e.g. if they are trying to access personal information at the SP. On the other hand, if the SP uses the ePTID to maintain state for the Subject, then it is up to the Subject if s/he wants to break that "feature" or not.
3) That said, I believe privacy requires that
(a) a different ePTID be used with each SP,
(b) the IdP should -not- change the (persistent) ePTID without permission of the Subject, and
(c) the Subject should be able to cease the use of a given ePTID and get a different one for that same SP -without- the new one being linked to the former SPprovidedID !!
David
- TargetedID Durability, Chad La Joie, 07/29/2005
- Re: TargetedID Durability, Jim Fox, 07/29/2005
- RE: TargetedID Durability, Paul B. Hill, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- Re: TargetedID Durability, Chad La Joie, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, Jim Fox, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, Jim Fox, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, David L. Wasley, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, Alistair Young, 07/31/2005
- RE: TargetedID Durability, David L. Wasley, 07/31/2005
- RE: TargetedID Durability, Alistair Young, 07/31/2005
- RE: TargetedID Durability, David L. Wasley, 07/31/2005
- RE: TargetedID Durability, Alistair Young, 07/31/2005
- Re: TargetedID Durability, Scott Cantor, 07/31/2005
- RE: TargetedID Durability, RL 'Bob' Morgan, 07/31/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- RE: TargetedID Durability, Jim Fox, 07/29/2005
- RE: TargetedID Durability, Scott Cantor, 07/29/2005
- Re: TargetedID Durability, Scott Cantor, 07/31/2005
- Re: TargetedID Durability, Chad La Joie, 07/29/2005
- Re: TargetedID Durability, Jim Fox, 07/29/2005
Archive powered by MHonArc 2.6.16.