Refeds


Subject Re: RFC: scoped semantics profile for edupersonEntitlement attribute values.
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Thu, 16 Oct 2014 15:38:54 +0200

* Niels van Dijk <niels.vandijk@xxxxxxxxxx> [2014-10-16 14:03]:
> 3. Scoped eduPersonEntitlement values

While eduPerson says 

  "The meaning of scope is specific to the attribute to which it is
  attached and can vary from one attribute to another."
  http://macedir.org/specs/eduperson/#Scope

(and it does not list ePE as being among the "scoped" attributes
defined in eduPerson) I'd probably still avoid the term "scoped", to
not cause more confusion that necessary.
The above would allow for ePE to be defined as "scoped" and could even
use the suggested syntax, but everyone else ever having to do with
eduPerson stuff will expect "scope" to means value@domain.
The quote above makes such an assumption unreasonable, I'd still like
to avoid that particular concern.

Note that Shibboleth SP also has "scope" checking build in (i.e., the
current concept of scope is implemented in software), against
published shibmd:Scope values in SAML metadata.
Where would be the correlation in your proposed data structure to
that? If you do not intend to have SP software filter attribute values
on scope (which needed to be implemented seperately in the SP anyhow),
again, maybe not call it "scope".

If you're creating a seperate attribute (instead of using ePE) the
above still applies in some sense (people expecting a LHS@RHS) but
it'd be much less problematic IMHO than having two very different
types of "scope" within eduPerson -- even if the spec allows for that.
-peter