Subject Re: draft charge, refeds working group on attribute release
From "Cantor, Scott E." <cantor.2@xxxxxxx>
Date Fri, 1 Jul 2011 14:41:11 +0000

On 7/1/11 4:39 AM, "Leif Johansson" <leifj@xxxxxxxx> wrote:
>On 06/30/2011 11:32 PM, Cantor, Scott E. wrote:
>> On 6/30/11 4:59 PM, "Leif Johansson" <leifj@xxxxxxxx> wrote:
>>> I'm not so sure. There may be more to the simple delegation-model other
>>> than reducing the number of IdPs
>> I was talking about authentication, but flip it around...I claim if you
>> don't limit the number, you lose most of the simplicity they claim.
>Because of discovery?

That's one reason. Another is the scalability (or lack there of) of the
trust management and key management mechanisms available. Usually there
are none, with a commensurate loss of security. And there's the question
of identifiers and other attributes, because dealing with more IdPs means
accomodating variance.

I can probably think of some more, but the point is that all "simple"
approaches are simple because they redefine the problem into something
they can solve and then declare victory. If the redefinition is the 80/20
solution, it works ok, except for the people who cared about the 20.

-- Scott