Ah yes, I thought that that (the inputs to the hashing function) was already fairly well agreed now, and I'm happy with that.
But there's also a question of representation - I know the world of Kerberos and radius likes scoped things (value@scope), but the SAML world is moving (as fast as it can) to the triple representation (based off of the liberty idea of a federation identifier, IIRC?) (like IdP!SP!value). I'd rather we get this right from the start and not have to live with legacy for well over a decade as we have with eduPersonTargetedId; that has caused no end of confusion for deployers.
Rhys.
Sent from a device without a real keyboard, so excuse any typos!
On 21 May 2014, at 21:13, "Sam Hartman" <[log in to unmask]> wrote:
>>>>>> "Rhys" == Rhys Smith <[log in to unmask]> writes:
>
> Rhys> One thing though - Stefan suggests the value be value@scope,
> Rhys> but previous discussion also suggested a tuple of IdP name, RP
> Rhys> name, and value (a la the newer eduPersonTargetedId
> Rhys> format). Is there any particular reason to use one over the
> Rhys> other?
>
> I thought that was discussion of what went into the value.
> I think we were discussing gss-acceptor-realm, username and the IDP's
> secret.
>
> Note that means a common value within an acceptor realm.
>
> Josh called for objections on that and we received none.
|