Refeds


Subject Re: RFC: scoped semantics profile for edupersonEntitlement attribute values.
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Thu, 16 Oct 2014 14:54:52 +0200

* Niels van Dijk <niels.vandijk@xxxxxxxxxx> [2014-10-16 14:03]:
> A generic example for a scoped eduPersonEntitlement SHOULD be formatted
> as follows:
> 
> urn:[namespace]:[servicename]:[entitlementName]:[entitlementValue]

> 3.3.1 Service Specific Entitlements
[...]
> urn:[service namespace]:[servicename]:{[entitlementName]}:[entitlementValue]
> 
> Note that the Service namespace needs to be formally registered unless a
> prefix of x- is used to signify a custom namespace [RFC3406].
> 
> Examples:
> 	urn:mace:terena.org:tcs:personal-admin
>     	urn:x-surfnet:surfdomeinen.nl:role:dnsadmin

> 3.3.2 Identity Provider Specific Entitlements
[...]
> urn:[identity provider namespace]:[servicename]:{[entitlementName]}:[entitlementValue]
> 
> Note that the IDP namespace needs to be formally registered unless a
> prefix of x- is used to signify a custom namespace [RFC3406].
> 
> Examples:
> 	urn:mace:exampleIdP.org:demoservice.com:demo-admin
>         urn:x-surfnet:surfnet.nl:authz:role:wikiadmin

Since the requirements for Namespace IDs (to be registered in the IANA
URN registry[1] is the same in all cases it does not make much sense
to me to define urn:[namespace] seperately from urn:[service
namespace] and urn:[identity provider namespace].

The examples also show that there is no real difference,
e.g. urn:x-surfnet exists in both 3.3.1 and 3.3.2., and the structure
after the namespace id is the same as well.
In fact the structure needs to be invariant anyway, IMHO, otherwise I
wouldn't know how to parse a given ePE value.
If you wanted to seperate them (I don't see why), I'd suggest creating
seperate attributes for them.

Note that the existing value "urn:mace:terena.org:tcs:personal-admin"
is not a good example for the proposed structure, as "terena.org" is
certainly not the servicename (what would that service be?). TCS would
be the service, probably, but that's the entitlementName in your
example. I.e., it doesn't match the proposed structure.

> it is RECOMMENDED to express this as the FQDN of the service,

It's only "recommended" but for some servics it might not be obvious
which FQDN to put there.

Cheers,
-peter

[1] http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml