>>>>> "Eliot" == Eliot Lear <[email protected]> writes:
Eliot> Perhaps what you are saying is that if there is absolutely no
Eliot> requirement that the IdP trust the attribute provider at all,
Eliot> that it simply passes bits, then there is a risk that the
Eliot> information returned might not be related to the principal.
Eliot> I would suggest that it is incumbent on the attribute
Eliot> provider to at least make an assurance that it won't happen,
Eliot> because you're right- the RP cannot be assured otherwise
Eliot> because it may not have sufficient information or even
Eliot> authorization to reference the principal to the RP.
That's one case.
Another case is where say you are linking principals based on names and
you have two principals with the same name. E.G. I want to provide an
assertion about credit availability. My credit score attribute provider
can linke based on SSN (in the US) or name.
The IDP doesn't have the SSN, so it has to ask about the name.
What happens if the linking is off.
Eliot> One other challenge here would be to consider whether it is
Eliot> permissible that the unique index or name of the principal in
Eliot> the context of the attribute provider could leak to the RP.
Eliot> If that name is covered by a signature, it cannot easily be
Eliot> removed.
O, thanks for enumerating this one!
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
