 |
 |
Hi Jon, > It's important that the unique string doesn't change unexpectedly over time, > since that would require the mapping to be updated before the user (or group) > could successfully authenticate. I understand (from a distance) that this is part > of the objection to CUI. When correctly implemented, CUI should not change unless one of the four constituent parts, the salt, the Operator-Name, the User-Name, or the hashing mechanism, changes. This is virtually identical to the ePTID in Shibboleth. > since a potential user can't tell an administrator what their ID will be. There are ways > around this (require an initial authentication and subsequently upgrade the account, > bootstrap the process with a single-use username/password, etc.) bu these seem to > confuse many administrators/implementers. I believe this is hampering uptake of Shib > where only ePTID is available. Ok, this is useful to know (i.e. the lack of uptake/barrier for Shibboleth implementation). This is exactly how Diamond was expecting to do this, i.e. authenticating with the given local account, and then authenticating with the credential of their choice to 'link' the accounts, purely on the basis that this would be user-driven (i.e. the user chooses whether to use a 'Moonshot' login or not), not a requirement. > There are also issues around the semantics of unique ID's and privacy. Use cases > involving privacy requirements may not be high on Moonshot's priority list at the > moment, but they should not be accidentally ruled out. From past experience, privacy is a big deal (and has to be). According to some discussions had elsewhere, some DP legislation may be interpreted such that things like the CUI or the ePTID to be personal information despite being anonymous to a large degree, simply because they are still unique to the user and could potentially be used to identify someone if for example the home IdP or the SP were to experience a breach of some kind. :-) Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238