>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> Sure. However, unless you perform a check IDP 1 can assert a CUI
>> belonging to a user at IDP2.
Stefan> Sorry, in what way? If you are referring to IdP1 simply
Stefan> generating a CUI and claiming it's for user X at IdP2, that
Stefan> could/would get you booted off the eduroam network (Alan +
Stefan> Janet, correct me if this is inaccurate) because policy is
Stefan> specific in saying that an IdP should only authenticate its
Stefan> own users, and in doing what it did, IdP1 is contravening
Stefan> that policy.
I don't think there is technical enforcement of that policy. There
certainly isn't in the trust-router world unless you do it yourself.
|