OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Shibboleth and credential negotiation


>At least it would be interesting to hear how Shibboleth is
>going to handle this, in spite of Shibboleth
>functionality being a non-goal (it is?).

I too work on Shibboleth.  Sorry to not have responded earlier.

We are still trying to figure out what we are going to do in

What is likely is that we will have "canned" sets of
well-known attributes.  And that we'll have a means
of extensibility.

We are arguing whether or not there is the possibility
of a target site "asking" for what it wants.  The two
extremes cases are: (1) the target always asks for what it
wants from an attribute authority; (2)the set of attributes
to be sent is pre-configured (at the source) on a "per site"
basis and no asking is needed or permitted.  (We are also
having interesting discussions over what constitutes
a "site" in Shibboleth.  It ain't as easy as it sounds!))

Another aspect of this debate is to what extentthe
user has control of what attributes are sent -- and
when this controlled is applied.   One view says that
the user gets to choose beforehand; the other view is
that there ought to be an on-the-fly way for a user
to designate what attributes get sent (or not sent)
to the target the user is trying to access.

My personal feeling is that the user should get some
choice -- particularly over whether their identity is
sent.  And I'd like to see the user have some runtime
control of this.  Most Shibbolethers are agreed about the
desirablity of protecting identity; as I mentioneed,
there is much debate on how this protection occurs.

I hope this helps.

Marlena Erdos

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC