>>>>> "Alan" == Alan Buxey <[log in to unmask]> writes:
Alan> How does putting the realm at the end of the ID stop
Alan> impersonation? Enforcement by the Trust Router? Surely the
Alan> service provider knows the iDP from the users anonymous ID and
Alan> can log/record/store the CUI related to that request. I don't
Alan> see what adding that realm to the end does. .. apart from
Alan> leaving trackable non-anonymous parts lying around as I've
Alan> already said alan
We had a long discussion on this.
By the time that the realm gets to the RP, it needs to have a scope.
People *won't* log and check the scope unless it's in the attribute at
the point where they put the attribute on ACLs.
We discussed options of adding the scope close to the IDP and close to
the RP.
Rhys and Stefan preferred adding the scope close to the IDP.
Especially if there are going to be multiple attributes, I tend to agree
with them.
|