An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 5 Dec 2013, at 11:14, Leif Johansson <leifj AT sunet.se> wrote:

> I'm actually pretty sure I'm right.

Aren't we all ;-)

> I have (say) an accredited idp from multiple sources: from a federation
> operator thats is authoritative from the key and some of the attributes
> and from Kantara that is authoritative for the assurance level
> attribute. These sources need to merge into your local trust-engine.

There are specific cases where you can make merging work. The one you're 
describing here might be one, but I don't agree that it's the right approach: 
having to register an entity with one source just to acquire an assurance 
level association seems to me to just make the multiple registration issue 
worse. Building a solution in terms of some kind of reputation service (TBD) 
has always seemed like a better solution to me.

That aside, I don't think the general case -- which is what you would need to 
address the sort of issue Dick is facing -- is soluble. I could be wrong, of 
course, but the way to demonstrate that would be to show me an algorithm. 
This is not the first time "just merge them" has been proposed as a solution 
to this problem, but I've never seen anything more specific proposed.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature