>>> On 18/04/2007 at 16:32, in message <[log in to unmask]>,
Ian Young
<[log in to unmask]> wrote:
> Dennison, Karen J wrote:
> 
>> If not being able to distinguish this prevents lots of IdPs
>> from signing up to any form of user accountability, then we would
>> still find ourselves in the position of independent negotiation
with
>> IdPs and lots of very frustrated end-users.
> 
> I don't think we are going to find that we have lots of IdPs who can
> sign up to not reissuing ePTI but can't sign up to not reissuing
ePPN.


I would have thought that just about anyone could sign up to the former
(ePTI) with a fairly minimal amount of effort but that you will have
quite a number who cannot sign up to the latter and so under the current
arrangement are not able to do either.

Ian, you said:

> I think my first observation would be that I'm surprised that
frequent
> reuse of login IDs isn't causing you headaches elsewhere already. 
But
> your question here is the critical one, I think.


What headaches would you expect it to cause - I'm getting worried that
so far I'm fairly pain free!

In order to understand the problem a bit more I had a look at the data
as I have the purge lists going all the way back to 2002.   There are
25,112 official User IDs in the directory, in December 06 we purged 5061
accounts although only 3207 were active.  I guess we're only interested
in the active ones as if they aren't no-one cares if the ID is re-used. 
So far only 104 IDs have reappeared (or 139 of the 5061).   From a rough
inspection (I'll do this more closely later) quite a proportion of these
appear to be the same person come back.

There was a purge in May which I haven't done figures for, but December
2005 was the one before that.  Of 2760 active (4610 total) accounts
purged 278 are back in the directory, but again, a very rough inspection
showed a number were clearly the same person back again with the same
ID.

The problem of re-use of ePPN will surely affect any site that issues
IDs that are closely matched to the real identity, in our case a
concatenation of initials and surnames and such a policy has been very
popular with the users.  I'm not meaning this as any criticism of those
sites that have chosen something rather more unrelated, e.g.  ALS3705
etc but I know that the friendly ID policy has been popular despite the
operational issues it creates (to us).  Enforcing a stricter non reuse
policy will mean more IDs have to be disambiguated (we do this by adding
extra initials here) which in turn will mean more upset users.  All for
an attribute that we will seldom be making available externally (or so
the mantra goes).

> The only reason such a facility hasn't been bundled into the
standard
> IdP is that making it work "out of the box" would require the
bundling
> of an SQL database with the IdP distribution...

Couldn't you store the attributes back in the directory which holds all
your identity information rather than a separate database?

Cheers
Andy