Shibboleth Developers

[Steven Carmody <>]

Agenda:

1) Startup
- Roll call, agenda bash
- Intellectual Property Rights Awareness: Internet Intellectual Property
Framework (http://www.internet2.edu/membership/ip.html)

2)  Quick items...
        -- email lists
        -- how to deliver personal infocard keyinfo to app?

3) status updates, Shib 2.1 implementation
        - status -- SP has shipped....

4) Discussion items
        -- notes on consent release, from last discussion (pasted in below)

5)  Other items?

 --

-------------------------


1-866-411-0013 (toll free US/Canada only)
or 1 -800-392-6130 (alternate toll free US/Canada only)
for callers outside the USA/Canada dial 1-734-615-7474 (not free)
Pin # : 0142203

    http://edial.internet2.edu/call/0169439 for dialout in US

    SIP-based:
      Connect directly:
      
sip:
      or via Free World Dialup to 4233425 ("I2eDial") and
         enter 0142203


-------------------------

notes from discussion of Attribute Consent release

-- trying to create consent for cases we can't currently address; not 
looking to add consent to existing use cases

-- for cases that would traditionally be handled by OpenID, but no 
OpenID sites currently support attributes (Scott's OpenID case)

Consent triggered if:

-- on default ARP? and on specific attributes,  add a new match function 
(ok the release if the requesting SP is asking for this attribute, 
either in the metadata or in the AuthN Request)

-- the RULE for such such an ARP would be ANY (would always run)

   -- ? no rule set up in advance for this site

-- this creates an extremely promiscuous IdP; however, configuring in 
the ARPViewer means that users would have to approve the release of this 
attribute

-- don't tell users about attributes they don't have control over (eg 
entitlement) (ARPViewer already has such a blacklist)

-- have a list of SPs you don't want consent triggered for

Notes:

-- it maybe very hard to explain some attributes to users (eg epTID)

   chad -- currently, for every SSO request
       consent to terms of use (first time you access the IdP and 
successfully authN)
       consent for release of attributes (when you go to a new SP, or 
the attr/values being released to that SP have changed) (also has a 
"remember this"box)
       info stored in a DB
       also have GUIs to manage "preferences"
       also has xml filesystem backed store, instead of DB
       based on abstract attr info -- not on protocol specifics
       works with PUSH only

   ArpViewer pops up a jsp page -- explore what other info could be 
templated into the page --

scott talking about eppn, email, maybe Aff (stuff you'd find in a 
typical CS card, or self-assert to a web site) - simple common attributes
   -- PN also does this (with the same set of attributes)
   this set may map initially to these to sites where CS would be 
applicable

CONSENT mech could ALWAYS be configured as required for a certain SP