On Tue, Jan 18, 2011 at 10:08 AM, Josh Howlett <[email protected]> wrote: >> >> Control question for Sam and Scott: is it possible (and >> >> reasonably easy) to do SP-centric attribute aggregation for >> >> abfab, by which I mean having the SP issue additional attribute >> >> queries to IdPs within the AAA-centric trust model proposed by >> >> Sam and Josh? >> >> Josh> Yes, possible and easy (assuming, obviously, we can assume >> Josh> that the SPs and IdP have a common identifier for the >> Josh> subject). >> >> Josh, I suspect you are right, but the details are not clear to me. > > Nor me in truth; I suspect that I am about to discover it was inadvisable of > me to claim 'easy' :-)
It depends on the trust relationship the SP has with the various AAs in question, but in general, this is a hard problem. How does the SP prove to the AA that the user is present and actively involved in the transaction? The AA would have to have a fairly liberal attribute release policy to hand out user attributes to the SP without some form of user consent. Tom _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
