Refeds


Subject Re: entity categories
From Leif Johansson <leifj@xxxxxxxx>
Date Thu, 27 Jun 2013 10:00:04 +0200

On 06/26/2013 05:50 PM, Benn Oshrin wrote:
> On 6/25/13 10:22 AM, Peter Schober wrote:
>
>> Short answer: Entity Categories are not the place to fix name
>> attributes or RFC-defined object classes.
>
> Right, that was just the side rant.
>
>> If you're specifically suggesting to change the above to
>>
>>    displayName AND givenName AND sn
>>
>> that's something else and about the only thing I can image we could to
>> "short" term.
>
> Something like that would, I think, be helpful (modulo Scott C's
> comments in his reply -- perhaps I'm not the immediate use case). ie:
> An attribute bundle is less useful to me if I don't know which
> attributes I'll be reliably getting.
>
> -Benn-

I don't want to open up a can of dead worms but imo the EC should not
even talk about specific ways to represent a name. It should just say
"provide a name for the human" and let the SP figure out exactly how
that name is represented.

This may seem like aiming for less than what we could achieve but in reality
it doesn't matter because most SPs (especially those with more connections
than only to R&E) will have to deal with any number of ways to do attributes
so that they (SPs) have to have internal attribute-mapping logic anyway.

The way I see it, ECs are inter-federation information carriers the same way
that SAML was an inter-enterprise SSO and IP was an inter-networking
protocol.

At the local metadata oracle/federation hub the EC can be transformed into
what passes for local attribute release policy management tools - including
RequiredAttribute elements that were thought (by me too) to be the solution
to this mess, but clearly is not outside the federation.

As time goes by I suspect we'll see the EC used both as an inter- and an
intra-federation tool, the same way IP is now used for everything and
even the
intra-enterprise email systems use SMTP today.

        Cheers Leif