>>>>> "David" == David Chadwick <[log in to unmask]> writes:
David> Then why dont you concatenate the IDP name with the opaque ID
David> to make it globally unique?
An attribute like CUI that has an IDP scope attached does sound like a
good idea to me.
CUI is defined for accounting uses and I'm not at all convinced that a
pseudonym of the type we're talking about for access control purposes
has entirely the same semantics as CUI.
Even if it does, I'd rather RPs rely on a different attribute that is
guaranteed to be scoped. If we decide it's desirable RP proxies can
construct such an attribute from CUI.
--Sam
|