[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Shibboleth and credential negotiation
Anders, >At least it would be interesting to hear how Shibboleth is >going to handle this, in spite of Shibboleth >functionality being a non-goal (it is?). I too work on Shibboleth. Sorry to not have responded earlier. We are still trying to figure out what we are going to do in Shibboleth. What is likely is that we will have "canned" sets of well-known attributes. And that we'll have a means of extensibility. We are arguing whether or not there is the possibility of a target site "asking" for what it wants. The two extremes cases are: (1) the target always asks for what it wants from an attribute authority; (2)the set of attributes to be sent is pre-configured (at the source) on a "per site" basis and no asking is needed or permitted. (We are also having interesting discussions over what constitutes a "site" in Shibboleth. It ain't as easy as it sounds!)) Another aspect of this debate is to what extentthe user has control of what attributes are sent -- and when this controlled is applied. One view says that the user gets to choose beforehand; the other view is that there ought to be an on-the-fly way for a user to designate what attributes get sent (or not sent) to the target the user is trying to access. My personal feeling is that the user should get some choice -- particularly over whether their identity is sent. And I'd like to see the user have some runtime control of this. Most Shibbolethers are agreed about the desirablity of protecting identity; as I mentioneed, there is much debate on how this protection occurs. I hope this helps. Regards, Marlena Erdos IBM/Tivoli
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC