>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> Well, no. I get an opaque identifier from the IDP at the RP-side
>> proxy. How do I decide whether I should permit that value to go
>> towards the RP? The RP is likely to have this value on ACLs and
>> the like. I need to enforce that no two IDPs can have the same
>> value. I know which IDP it's coming from, but we have not
>> proposed a mechanism to make this safe to use.
Stefan> But that's up to the RP to decide what it wants to do, no? I
Stefan> mean, if the RP decides that it's going to add the realm to
Stefan> the end to ensure uniqueness, that's up to the RP to decide,
Stefan> not a technical policy/requirement/mechanism decision (i.e
Stefan> "you must...") by those who manage the infrastructure. Or am
Stefan> I misunderstanding the context here?
If we don't have policy here, most people will get it wrong in a
horribly insecure way.
Also, Painless Security is writing a managed RP service for Janet, and I
have no idea what to implement.
our current plan is not to support CUI for this reason; if the community
wants something different it would be good to have a proposal for secure
handling that's got general enough agreement that it is widely
applicable enough to implement in a managed service.
I tend to favor a different attribute because an RP will not have
confidence that CUI is appropriate for ACLs.
I understand that approach isn't great for people running over eduroam,
but for the default APC, I think standardizing on a CUI-like attribute
that is scoped makes more sense.
|