[ogsa-authn-bof] Shibboleth/Grid Namespace Convergence
Tom Scavo
trscavo at gmail.com
Mon Feb 12 13:20:46 CST 2007
On 2/12/07, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:
>
> i) Each IDP must already uniquely identify each of its users, otherwise
> it could not function correctly. How this is done is a local matter, and
> we dont really care. All the IDP needs to do is to provide this local
> name of the user to the CA.
This is where things fall down. You're assuming a perfect world in
which IdPs freely assert local principal names across domain
boundaries. Unfortunately, this is not the case today nor will it be
the case tomorrow.
Today IdPs assert transient, opaque identifiers. Tomorrow IdPs will
assert persistent, opaque identifiers *scoped to the SP*. That is,
the latter are not globally unique by design (to prevent collusion
among SPs).
Today some IdPs assert eduPersonPrincipalName (which is what you want)
but there are pressures working against this in the long run.
Tomorrow IdPs will rather assert eduPersonTargetedID (which is
equivalent to the persistent, opaque identifier mentioned above) but
again ePTID is *scoped to the SP*.
So it is not reasonable to assume all CAs will assert the same DN.
Such collusion is prevented by design.
> iii) Each IDP already has a globally unique DNS name. This is easily
> converted into a DN using the DC naming scheme e.g. kent.ac.uk becomes
> dc=kent, dc=ac, dc=uk
IdPs already have a globally unique naming scheme (involving URIs) so
why invent a new one? If you must have a DNS-like name, however, you
should use the Scope attribute called out in IdP metadata (which is
used to qualify scoped attributes such as eduPersonPrincipalName and
eduPersonScopedAffiliation).
Tom
More information about the ogsa-authn-bof
mailing list