Oh, I see.
Impersonation being one less benign possibility… Yes, that's true. If a site has control over its RP proxy, that's probably very unlikely, but if a central RP proxy served several sites (take Oxford Uni as an example), then it's a distinct possibility?
Perhaps that's something we may need to keep in mind for the policy…
Stefan
________________________________________
From: Josh Howlett
Sent: 23 May 2014 21:51
To: Stefan Paetow; [log in to unmask]
Subject: RE: Attribute filtering / access control with moonshot
> > There is also value for an IdP in having the option to choose between
> > releasing identifiers for realm and/or CoI. It is in effect a
> > mechanism for the IdP to manage its tolerance of collusion between
> realms.
>
> Collusion? Sorry, could you explain more in detail?
Collusion meaning the sharing of identifiers. It can either be benign, or not, depending on the goals of the colluders. If it is a research VO, it is probably benign. But clearly there are less benign possibilities.
Josh.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|