>>>>> "Matthew" == Matthew Vernon <[log in to unmask]> writes:
Matthew> Hi,
Matthew> On 29/05/14 09:55, Stefan Paetow wrote:
>> I'm guessing that this is one of the reasons why there is
>> currently a restriction that the RP can only belong to one COI at
>> any one time (whereas IdPs are free to belong to any number of
>> COIs), so that the trust router can correctly establish which COI
>> is being used.
Matthew> I worry that this may come back to bite us at some point;
Matthew> it's not hard to envisage situations where a single RP
Matthew> might wish to be part of more than one COI...
It's quite easy in fact.
The restriction comes in at multiple levels:
* Code limitations that are just a matter of programming to fix.
* How EAP works
* How existing applications interact with their authentication process
* UI considerations
* Privacy considerations
I strongly encourage people who see this as a potential issue to put
together a white paper covering interactions with COI selection on at
least these topics.
It's probably worth looking at previous work in the network selection
problem space within the IETF, as even within a single application
domain people have found it tricky to manage this for a related problem.
The trick here is not imagining a desire for a solution so much as
doing the hard work of planning a solution.
|