Shibboleth Developers

[Chad La Joie <>]

Ian Young wrote:
>> All the information is being encrypted in
>> transit (since it's over SSL/TLS).
> 
> Let me say up front that I agree that the front channel *should* be
> operating over TLS.  I have pushed hard to strongly encourage good
> practice in this area in the UK federation.
> 
> However, it's not guaranteed.  Front channel protocols work just fine
> over unencrypted connections, so you can place money on people sometimes
> deploying that way, no matter how much you and I might think it is a
> terrible idea.
> 
> There are 12 http:// AssertionConsumerService/@Locations in the InCommon
> metadata, for example (2 in the UK federation, 37 in SWITCH).  That's
> part of the world your IdP has to operate in, it seems to me, and if you
> default to attribute push without taking the SP's capabilities into
> account you're making a data spill more likely.
> 
> Remember that I'm not saying you can't default intelligently to
> attribute push when you know it's safe.  It's making that the default
> without making the safety check that I think is unwise, because the
> world observably doesn't match your stated assumptions.

I don't disagree but there is only so much we can default (in the code).
 However, the direction we prepare will say to secure these endpoints
(which is unfortunately a less firm default).

>> The idea that the user seeing their
>> attributes being a problem seems silly to me.
> 
> Attributes are statements made about the subject by party A for
> consumption by party B.  I can't see why you'd assume that all such
> attributes should be visible to the subject: an opinion (a credit score,
> or a medical assessment) or something involving more than one data
> subject, for counter-examples.

See, I actually don't believe that I should be prohibited from knowing
any bit of information that the IdP is asserting about me.  But I do
recognize that this is a personal belief that some share and some don't.

> I'm not saying that people *ought* to move this kind of thing around.
> But they will, and they aren't going to remember to change the default
> profile in use when they change an ARP.

So, folks can know the information at such time that they would
manipulate a filter policy but not at the time of actual transmission?

-- 
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124