>>>>> "Josh" == Josh Howlett <[email protected]> writes:
Josh> or attribute requests to an attribute authority that is not
Josh> the Identity Provider.
>>
>> I'm nervous about this for the trust model issues I brought up.
>> I could see using the same attribute in the cases where the trust
>> model is going to be the same. However I definitely think we
>> want a different attribute if we want different processing
>> semantics in the RP.
Josh> I don't follow this. Why can't we put these semantics to the
Josh> SAML layer?
I think that both the RP and intermediates need to understand what trust
model the IDP is using--at least to the extent that they need to
understand what claims about the attributes the IDP is making.
See the three trust models in my last mail.
I want this document to either have a single trust model or to explain
how an RP and intermediate determines the trust model.
I guess that could be SAML layer if there is a good mechanism for that.
>> One particularly thorny issue will be what the IDP should do with
>> a request for an attribute from a different provider that it
>> could satisfy but not under the trust model the RP was hoping
>> for.
Josh> I agree its thorny, but is this actually a use-case that we
Josh> care about? I would prefer to punt it to the business layer.
Josh> Josh.
Explain what it would mean to punt on this; I'm confused as to how we
could do that if multiple trust models are in play.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
