Andy Swiffin wrote:
> I would have thought that just about anyone could sign up to the former
> (ePTI) with a fairly minimal amount of effort but that you will have
> quite a number who cannot sign up to the latter and so under the current
> arrangement are not able to do either.
As we discussed earlier in the thread, the technical recommendations
specifically cover the possibility of ePPN being constructed from
something other than the login ID. That's why I don't think many sites
will be *unable* to generate ePPN values with an appropriate lifetime.
> What headaches would you expect it to cause - I'm getting worried that
> so far I'm fairly pain free!
The usual thing people tell war stories about is exposure of personal
information associated with the old identity to the new person. If you
relate e-mail address to login ID this is an obvious concern.
> Enforcing a stricter non reuse
> policy will mean more IDs have to be disambiguated (we do this by adding
> extra initials here) which in turn will mean more upset users.
Or, as previously discussed, use something else for ePPN.
> Couldn't you store the attributes back in the directory which holds all
> your identity information rather than a separate database?
ePTI is a very unusual attribute. It is multi-valued, but the values
are themselves related to a separate key (the SP name) which you really
need to be able to look them up by for efficiency reasons. So they
aren't really the sort of thing you'd want to store in a directory, and
in fact if you read the eduPerson specification you'll see that they say
this explicitly.
You could, no doubt, somehow push ePTI values back into a directory, but
it's not something I'd advise and definitely not something you'd want
the Internet2 people to enforce on your LDAP schema by default ;-)
-- Ian
|