Versions Compared

Old Version 3

changes.mady.by.user Heather Flanagan

Saved on

compared with

New Version Current

changes.mady.by.user Heather Flanagan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • subject-id vs pairwise-id

    • Reasons for subject-id:

      • some use-cases need a non-targeted identifier, and this category is one way they can get it.

      • 'optional personalization' refers to the user, not to the IdP. If the IdP doesn't release the attributes then a user doesn't have the options.

      • the added protection by /not/ sending an opaque identifier may not actually achieve all that much even assuming bad intentions/actions at the SP. [if the concern is tracking users]

      • There are also many laws and regulations in most regions too (e.g. GDPR immediately comes to mind!). The data cant be used for anything other than the service access (authn/authz decision).

      • the original R&S spec did not use ePTID. That was never true. It used EPPN. ePTID was there to address EPPN changes/reassignment, not to be the actual identifier used in practice. [if subject-id is not ever reassigned, then it is an improvement over ePPN and we don't need a fall back]

    • Reasons for pairwise-id

      • make tracking of individual users more difficult

      • People take issue that people can learn other's subject-id; pairwise-id can be generated randomly.

    • Poll: Should Personalised Authorization use subject-id or pairwise-id? subject-id = 78% (7); need more information = 22% (2)
      • After discussion, both "need more information" have switched to "subject-id"; add this to the consensus list.
  • Should we add Nickname? Poll: yes (1), no (7), I don't care (1). Will leave out and revisit if it comes up during consultation
  • Next call
    • come back to whether the title of the category should use "Authorization"; maybe "Personalized Access" or "Personalized Entity Category"?
    • Start with section 6 of the draft; note this touches on the consensus we reached on an earlier call "We will adopt the following from R&S 1.3: "Service Providers SHOULD limit their data requirements to the bundle of attributes defined in Section 5, but MAY negotiate for additional data as required via mechanisms that are outside the scope of this specification."

Updated consensus specific to the Personalized Authorization spec

  1. if schacHomeOrg is present, then it's the value to be used; if not present, eduPersonScopedAffiliation should be used. (This was reverted on the last callSee 2021-07-01 R&S 2.0 Notes)
  2. We will adopt the following from R&S 1.3: "Service Providers SHOULD limit their data requirements to the bundle of attributes defined in Section 5, but MAY negotiate for additional data as required via mechanisms that are outside the scope of this specification." (See 2021-07-01 R&S 2.0 Notes)
  3. The entity categories (Anonymous Authorization, Pseudonymous, and Personalized) are mutually exclusive (See 2021-07-01 R&S 2.0 Notes)
  4. We will use subject-id for this specification. (See 2021-08-10 R&S 2.0 Notes)

Definition Statement for R&S

...