Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Metadata for Consent

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Metadata for Consent


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] Metadata for Consent
  • Date: Thu, 17 Feb 2011 15:07:29 +0000
  • Accept-language: en-US

The intent of ServiceDescription was precisely to provide the kind of
explanatory material that would underlie asking for particular attributes. As
Tom said, if you can't say it in a sentence, they won't read or understand it
anyway.

I tend to think a much better model is to slap privacy logos on sets of
attributes and have IdPs agree to using those logos in signaling things to
the user.

And, "fixing" AttributeConsumingService is pretty obviously only going to
happen if we're prepared to start over, accept XACML, and just slap it in
there. Is that what people want? There's no point in trying to support a
handful of arbitrary "nice to have" requirements. We won't get them right,
and we'll end up with something that's too complicated to be simple, but too
simple to be comprehensive. Any change we make will just lead to the next
missing piece.

So it's a basic question...do we really want to require metadata consumers to
parse XACML?

My opinion is that there are enough use cases that can live with what's there
to justify starting with what's there and getting deployment.

The OR thing is probably the easiest thing to work around. If you want
displayName OR cn, just ask for both. It's not that hard.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page