Shibboleth Developers

["Cantor, Scott E." <>]

The intent of ServiceDescription was precisely to provide the kind of 
explanatory material that would underlie asking for particular attributes. As 
Tom said, if you can't say it in a sentence, they won't read or understand it 
anyway.

I tend to think a much better model is to slap privacy logos on sets of 
attributes and have IdPs agree to using those logos in signaling things to 
the user.

And, "fixing" AttributeConsumingService is pretty obviously only going to 
happen if we're prepared to start over, accept XACML, and just slap it in 
there. Is that what people want? There's no point in trying to support a 
handful of arbitrary "nice to have" requirements. We won't get them right, 
and we'll end up with something that's too complicated to be simple, but too 
simple to be comprehensive. Any change we make will just lead to the next 
missing piece.

So it's a basic question...do we really want to require metadata consumers to 
parse XACML?

My opinion is that there are enough use cases that can live with what's there 
to justify starting with what's there and getting deployment.

The OR thing is probably the easiest thing to work around. If you want 
displayName OR cn, just ask for both. It's not that hard.
 
-- Scott