Subject Re: [MACE-Dir] eduPersonSubjectIDGUID
From Nate Klingenstein <ndk@xxxxxxxxxxxxx>
Date Fri, 23 Oct 2015 03:33:48 +0000

> That’s part of the fear for everyone.  Distributed change control is very hard to do well.  I think we no longer have the luxury of avoiding it, though, because the alternative is centralized change control, which means we’re immediately trying to be an Okta or a Windows Azure AD Connect.

… without the full set of features or guaranteed homogeneity that these services can manage and we can’t, because we’re kinda half centralized, while they’ve gone whole hog I-am-your-IdP.

My gambit is saying that we need to make the call to go totally centralized or totally decentralized, because right now we’re saddled with the pains of a centralized infrastructure without many of the benefits of a centralized infrastructure due to the wide variance in all other aspects of a federated transaction.

If we persist in trying to take this hybrid approach, I worry we drift further and further out of the picture as we offer fewer features and more challenges than either bilateral federation or completely homogenous federation.

> That said, there’s no reason why a provider couldn't be in a group, and that would be verified by chasing another trust reference that the corresponding provider would provide, and this could be a natural role for InCommon to play.

Along with regional authorities and providers.  For example, I could imagine UCTrust being one of the authorities that a UC provider would point to as a trust anchor.