>>> On 23/04/2007 at 14:22, in message <[log in to unmask]>,
Ian Young
<[log in to unmask]> wrote:
> As we discussed earlier in the thread, the technical recommendations
> specifically cover the possibility of ePPN being constructed from
> something other than the login ID. That's why I don't think many
sites
> will be *unable* to generate ePPN values with an appropriate
lifetime.
But, hang on a sec, didn't you say the opposite earlier:
> The eduPerson specification is clear that the expectation is that
the
> eduPersonPrincipalName is the identifier used to authenticate the
user.
> The main reason I can see for wanting this to be the case are to do
> with the user therefore being aware of the value, so that it can be
used
> in out-of-band communications. For example, my ePPN is
[log in to unmask]
> (same as my e-mail address) and I can phone someone up and say "my
ePPN
> is [log in to unmask], please add me to that access control list".
>
> The usual thing people tell war stories about is exposure of
personal
> information associated with the old identity to the new person.
We haven't had any issues (that I know of) and have been using the same
policy for quite some number of years. From the brief stats I did it
looks like the majority of re-use of identifier is really a re-issue to
the same person. I will produce a more detailed analysis going back to
2002 just for my own interest though.
> If you
> relate e-mail address to login ID this is an obvious concern.
I would have thought that the ideal was _always_ to relate email
address and login ID, preferably having them the same? I regret that I
introduced the dots in our email addresses but that was the fad at the
time.
However as regards ePPN we seem to be going round in circles. If it is
legitimate to use some other identifier then we can consider that and
may be able to sign rule 6, otherwise I think not unless we go for a
change of policy and put some work in.
Cheers
Andy
|