Refeds


Subject Re: VO challenges - article
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Thu, 22 Oct 2015 16:23:23 +0100


On 22/10/2015 15:47, Cantor, Scott wrote:
> On 10/22/15, 10:36 AM, "David Chadwick" <d.w.chadwick@xxxxxxxxxx>
> wrote:
>> 
>> But really we are not asking for a pony, only an ant (since PIDs
>> are as common as them)
> 
> They really aren't. Leaving aside that the number of apps that
> actually work well with long, ugly, opaque IDs made up of multiple
> parts is very small, supporting that use case requires some
> non-trivial IDM practices.
> 
> In addition, as I'm sure some will speak up and say, using pairwise
> IDs does not work well for a lot of VOs. So you're really talking
> about a global identifier, something that hasn't been standardized at
> all outside higher ed (other than email addresses) and raises a lot
> more hackles besides.

the alternative is for the VO server to become a proxy IDP. It is
already trusted by the SP as they are part of the same VO. This removes
the need for attribute aggregation or for global identifiers, and the VO
Server can even send transient IDs to the SP if it cannot handle PIDs,
because the SP will have the proper VO attributes for authz.

The only thing required then is for the IdP to trust the VO server
enough to send it the long ugly opaque PID which the latter can easily
be designed to handle.

The downside is two WAYFs for the user, but we already have this when
accessing SPs in other countries. (first redirect is, in my case, to
UKAMF, the second is to Kent)

regards

David

> 
>> With the evolution of FIDO this may well be the case.
> 
> Have they started working on soft tokens yet? I lost interest when I
> found out it was about hard tokens, and was rather puzzled by who
> thought that made sense at this point.
> 
>> But the value of SSO with a PID is still worth a lot to end users
>> and SPs, at the cost of next to nothing for IdPs.
> 
> A stable seed for that requires an IDM system with capabilities that
> are far from universal.
> 
> But for me it's more about the inability of applications to use them
> effectively.
> 
> -- Scott
>