Shibboleth Developers

["Scott Cantor" <>]

I'm going through old bugs and requests so I can close out feature
development, and I ran into one I'm not sure whether to implement or not.

https://bugs.internet2.edu/jira/browse/SSPCPP-48

I'm going to redo the htaccess logic anyway, because it's horrible to read,
and it's inefficient anyway, but adding negation concerns me. I can do it,
the other ACL plugin already supports the idea, but when I started thinking
about how to deal with null/missing data, I realized that this is
potentially dangerous to rely on.

Basically, saying that the presence of a value triggers a denial of access
is very dependent on attribute release never falling into the user's hands.
If I can gain access simply by refusing the release of some of my
attributes, obviously I will.

So even though I supported NOT rules in my XML plugin, I'm not so sure this
is a good thing to add to htaccess. It's also very confusing when you
combine it with ShibRequireAll and that whole mess. I'm thinking this might
be better left alone.

Thoughts?

-- Scott