Hi Sam, Thanks for your response. Let me add that this is really not a big issue with me for now. I see some very interesting use cases that relate to liability concerns around certain attributes, and I consider this conversation useful just to the point of knowing whether we are able to accomplish the task of having attribute providers later, if and when demand warrants.
Just on one point: >> Another source of complexity surrounds how an IDP links >> an assertion to a subject. What confidence is the RP >> asserting that the additional assertion describes the same >> principal as the access-accept message. > > Eliot> On this point - the IdP either is or is not authoritative for > Eliot> knowing at the very least where the information is going to > Eliot> come from. > > I agree with this sentence. I don't understand how it fits into the > quoted paragraph above. I may have misunderstood what you originally wrote. Perhaps what you are saying is that if there is absolutely no requirement that the IdP trust the attribute provider at all, that it simply passes bits, then there is a risk that the information returned might not be related to the principal. I would suggest that it is incumbent on the attribute provider to at least make an assurance that it won't happen, because you're right- the RP cannot be assured otherwise because it may not have sufficient information or even authorization to reference the principal to the RP. One other challenge here would be to consider whether it is permissible that the unique index or name of the principal in the context of the attribute provider could leak to the RP. If that name is covered by a signature, it cannot easily be removed. Eliot _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
