Subject Re: eduPersonSubjectIDGUID
From Nick Roy <nroy@xxxxxxxxxxxxx>
Date Thu, 22 Oct 2015 18:16:24 +0000


From: Nick Roy <nroy@xxxxxxxxxxxxx>
Date: Thursday, October 22, 2015 at 11:02 AM
To: "refeds@xxxxxxxxxx" <refeds@xxxxxxxxxx>, "mace-dir@xxxxxxxxxxxxx" <mace-dir@xxxxxxxxxxxxx>
Subject: Re: [refeds] Re: [MACE-Dir] eduPersonSubjectIDGUID

As an adjunct to this, the eduGAIN-published portability service could also be a long-lived and community-supported IdP of last resort, since a person would need to log into it anyways to hook up their old value to their new account.


From: "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx>
Date: Thursday, October 22, 2015 at 12:14 PM
To: Nick Roy <nroy@xxxxxxxxxxxxx>, "mace-dir@xxxxxxxxxxxxx" <mace-dir@xxxxxxxxxxxxx>
Subject: RE: eduPersonSubjectIDGUID

I don’t see how global portability works without a central organizing entity.

Without that central entity to tell you which UUID belongs to who the UUID is meaningless.


I don’t see ‘portability’ as being useful.  When a person moves from one institution to another they don’t pick up their identity and take it with them.  The identity at the old institution remains and gains some form of ‘inactive’ attribute, and a new identity is established at the new institution.  I don’t think ‘portability’ is what is needed.  It may or may not be desirable to link one or more current identities to one or more old identities.  i.e.  I am mark@xxxxxxxxxxx, I am mark@xxxxxxxxxxxxx, and I am also mark@xxxxxxx.



From: Nick Roy [mailto:nroy@xxxxxxxxxxxxx]
Sent: Thursday, October 22, 2015 1:01 PM
To: Jones, Mark B <Mark.B.Jones@xxxxxxxxxxx>; mace-dir@xxxxxxxxxxxxx
Subject: Re: eduPersonSubjectIDGUID


Global portability across institutions, and across things like IdPs of Last Resort which may go out of business.




From: "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx>
Date: Thursday, October 22, 2015 at 11:58 AM
To: Nick Roy <
nroy@xxxxxxxxxxxxx>, "mace-dir@xxxxxxxxxxxxx" <mace-dir@xxxxxxxxxxxxx>
Subject: RE: eduPersonSubjectIDGUID


I don’t think an identifier has any value without a scope/context.


What is the use case?




From: mace-dir-request@xxxxxxxxxxxxx [mailto:mace-dir-request@xxxxxxxxxxxxx] On Behalf Of Nick Roy
Sent: Thursday, October 22, 2015 11:27 AM
Subject: [MACE-Dir] eduPersonSubjectIDGUID




I've seen the subject of type 4 ( UUIDs or GUIDs as a way to create a globally unique (with no need for scoping) identifier across systems without any kind of coordination or state sharing between them crop up recently.


With all the talk of nameIDs that can change/be reassigned, and targetedIDs not providing the type of valuable "collusion" (I prefer the word "coordination" in this positive context) that VOs need, and scoped IDs being hard for a lot of systems to deal with, I would like to ask this group:


Is it time for a new eduPerson attribute along the lines of "eduPersonSubjectIDGUID" (or whatever you want to call it) which is just a permanent-per-person, portable, non-reassignable, globally unique and non-scoped type 4 UUID?  This would allow it to be created for a person at their home institution at the time the home institution adopts this schema extension in their IAM system.  It could be used as a persistent ID and asserted to "everyone" "by default."  A clearinghouse of these values could be set up in eduGAIN and provide global account linking.  It could then become standard practice when someone leaves an institution to tell them to access this service with their account before they leave, and immediately access it with their new account when they get to their new institution.  When they access the service at the new institution, it could send them an email containing information about how to tell their local IAM people their existing value.  If an IAM system registers for messages from this service, it could get these values auto-provisioned.




Thank you,