RE: [security-services] Comment on sstc-saml-glossary-2.0 (also closes AI #0114)

[Scott Cantor <cantor.2@osu.edu>]

> An aditional example:
> 
> (5) The IdP and the SP agree on a handle for the user out-of-band (such
> as an employee number used between an employer and their payroll
> service provider.

Perhaps we should raise the issue of exactly whether and how we need to call
out a specific Format identifier of "federated" in the spec. What does it
mean, if anything? We have NameIdentifier attributes that do most of the
"work", so to speak, of identifying the parties to a federation, assuming
that an identifier needs to be so-scoped at all, and they're usable by an
identifier in any format.

Can we define a set of properties relating to persistence and/or privacy
that we can give a different name to, and open up the rest of the spec
relating to federation to essentially any kind of NameIdentifier?

Can I send a RegisterNameIdentifier message and just say "I used to send you
assertions about foo, format bar and now I'll use bar, format foo and now
you know it's the same guy"? I can't see any particular problem in that.

Any SP is free to treat the NameIdentifier as a blob or to interrogate it
for Format to learn something useful, but the issues of registration and
termination are around the use of the identifier as a shared handle and not
the other aspects that the identifier might or might not have, such as
privacy-preservation.

-- Scott