Subject: RE: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded
Scott, Item 1: The document uses the terms "identity provider" and "authentication authority". Only "identity provider" is defined in the Definitions section, and the definition refers to providing "Principal authentication". I am not clear whether or not these are used interchangeably or are intended to specifically reference different services. Item 2: The document specifically states that federations "must" be explicitly consented to by the user. I understand the implications if the "must" changes to a "should", but I am mulling a consideration inside the enterprise as follows: The motivation of SSO inside an enterprise is to reduce costs by reducing account maintenance activities (which in turn is accomplished through reduction in the number of accounts and reduction in the number of password resets required). In that case, allowing the user to chose not to federate accounts may well go against the cost motive of the enterprise (not always bad motives). Assuming the enterprise will honor necessary privacy considerations and desire maintaining at least some degree of user satisfaction, it seems this would be a case where the enterprise may legitimately not allow for user opt-out. I realize this would open the door to potentially inappropriate forced federation. Affiliations would seem to be a means to address this internal enterprise need. The disadvantage I see is it would force enterprise internal service providers to all adopt the same identity for the user. Given the myriad of legacy systems in a large enterprise, synchronization of identities among systems is not always possible. Do I understand this correctly? Thoughts? Mike -----Original Message----- From: email@example.com [mailto:firstname.lastname@example.org] Sent: Monday, October 27, 2003 6:42 PM To: email@example.com Subject: [security-services] Groups - draft-sstc-nameid-05.pdf uploaded The document draft-sstc-nameid-05.pdf has been submitted by Scott Cantor (firstname.lastname@example.org) to the OASIS Security Services TC document repository. Document Description: Schema revisions, added glossary section. Download Document: http://www.oasis-open.org/apps/org/workgroup/security/download.php/4029/ draft-sstc-nameid-05.pdf View Document Details: http://www.oasis-open.org/apps/org/workgroup/security/document.php?docum ent_id=4029 PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/l eave_workgroup.php.