Shibboleth Developers

[Chad La Joie <>]

Scott Cantor wrote:
> > In my organization I see Infocard as an IdP authn method as likely being
> > more useful in the near term than managed cards (issued by the IdP and
> > consumed by app RPs), though obviously the latter is where the real
> > promise of Infocard lies.
>
> Definitely have heard mixed opinions about this, especially since CSv1
> doesn't support requiring a PIN on self-issued cards. So do we want people
> registering cards that basically make their desktop a permanently
> "signed-in" client for SSO? Probably some people would say sure, e.g.
> Kerberos sites.

I actually see this as a bit more scary than Kerberos.  With Kerb I can 
control the environment to a degree.  I can force certain password 
quality rules, or timeouts, verify certain things about the computer 
before allowing it to connect to my KDC if I wanted, etc.  None of that 
would be true in this case.  A bad user could have a desktop that does 
auto-login and no PIN on the card.

To me this would be like a web-based "authentication" mechanism were the 
user just has to enter their user name.  If they get it right, they're 
"authenticated".  I can't believe it, but I think we've stumbled upon an 
"authentication" mechanism that I dislike even more than IP address 
based auth.  ;)

> > To the extent that there is anything in Infocard material saying who is
> > supposed to trust whom (very little, to my knowledge), the common use case
>
> The profiles are definitely written in a manner that strongly communicates a
> model in which the IdP is not a vehicle for controlling what the user does
> or where they do it. That doesn't mean you can't, but it says to me that
> we'll be arguably alone in doing so for now, and may run into limitations if
> we push any spec boundaries in trying to do it.

Well, given how nicely MS did on ADFS and its attribute support 
(hardcoded names and namespaces that require you to write DLLs to 
add/edit names/namespaces) I'm not sure going a bit beyond what they are 
thinking is necessarily a bad thing.  I do agree that it can cause 
issues, again as we saw with ADFS.  However, we also need to keep in 
mind that to date MS has had a very bi-lateral view of the world and our 
community has a very federation-oriented view.  This is going to cause 
some mismatches between what our users want and what MS is doing.


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch