 |
 |
I suspect several people already involved in the discussion are aware of the standards comments surrounding this issue, but I'll summarize for the list my understanding of what we said in the standards. RFC 7055 section 3.5 describes requirements for proxies to maintain the security of an RFC 7055 environment. That level of operational advice is required even by the base standard. Without having appropriate policy in place to meet those requirements, IDPs should not trust the attributes, and it's difficult to meet the security requirements of RFC 7055. Architectures including RFC 7055, such as those discussed in draft-ietf-abfab-arch, or more concretely something like JANET's Moonshot project may well have additional policy requirements.