[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Shibboleth and credential negotiation
Marlena,
<snip>
> I too work on Shibboleth. Sorry to not have responded earlier.
Better late than never! I think Shibboleth is an exciting project. Whish I could join...
> We are still trying to figure out what we are going to do in
> Shibboleth.
> What is likely is that we will have "canned" sets of
> well-known attributes. And that we'll have a means
> of extensibility.
If applied to A2ML that would be in the form of a "Shibboleth partner" XML schema definition?
> We are arguing whether or not there is the possibility
> of a target site "asking" for what it wants. The two
> extremes cases are: (1) the target always asks for what it
> wants from an attribute authority; (2)the set of attributes
> to be sent is pre-configured (at the source) on a "per site"
> basis and no asking is needed or permitted.
I don't consider this as two extremes, I would rather characterize this
as the *only* two possibilities, where (2) represent the current
A2ML solution. If there really is a *third* option what would that
look like?
A side-effect of (1) is that the target is autenticated before the source, gives
IMO a much better control over the situation ("genuine" target or not?) and is
a pre-condition for any serious information disclosure user options.
<snip>
> I hope this helps.
It was very interesting to read, now I just wonder how this TC will treat this.
Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC