I agree that guidance is what we want here.
People are going to have different requirements and explore things.
I for example had not considered the risks of CUI before.
As I understand it from RADIUS:
CUI is intended to provide a way of corrilating usage for accounting and
billing while obscuring identity.
Authorization was not considered. Also, I suspect to a large extent IDP
impersonation was not considered because for accounting most of the
accounting info will be directed back towards the IDP anyway.
This means that when we consider authorization in scope, we need to
defend against one IDP impersonating another.
--Sam
|