RE: [security-services] Forwarding thread on "previously established an identifier usable by the requester"?

["Scott Cantor" <cantor.2@osu.edu>]

> I should have linked to this message from Brian Campbell as 
> part the April 5 agenda. We can discuss this thread under 
> errata or as an independent item during the call.
>  
> http://lists.oasis-open.org/archives/saml-dev/200503/msg00000.html

Synthesizing a few potentially concrete things from that thread (not to
disparage my long-winded and mostly unsatisfactory responses that people
will so enjoy):

- we might want to strengthen the proviso in the NIM protocol about
transient identifiers not "generally" being used with it

- we definitely should clarify whether the SPProvidedID feature in NIM
attaches the alias to "this principal" (the current text) or "this NameID"
(my intent, not precluding or requiring the IdP from attaching it to other
applicable NameIDs for the same principal)

- reaffirming that AllowCreate false was definitely not intended to preclude
use of pre-provisioned identifiers as in many current use cases

- whether persistent in and if itself assumes dynamic creation during SSO (I
think we're agreed it doesn't)

- whether persistent attribute-based identifiers introduce a loophole
sufficient to render using AllowCreate pointless anyway

-- Scott