Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs


Chronological Thread 
  • From: Ian Young <ian AT iay.org.uk>
  • To: Leif Johansson <leifj AT sunet.se>
  • Cc: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs
  • Date: Thu, 5 Dec 2013 11:25:54 +0000
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT iay.org.uk
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>


On 5 Dec 2013, at 11:14, Leif Johansson <leifj AT sunet.se> wrote:

> I'm actually pretty sure I'm right.

Aren't we all ;-)

> I have (say) an accredited idp from multiple sources: from a federation
> operator thats is authoritative from the key and some of the attributes
> and from Kantara that is authoritative for the assurance level
> attribute. These sources need to merge into your local trust-engine.

There are specific cases where you can make merging work. The one you're
describing here might be one, but I don't agree that it's the right approach:
having to register an entity with one source just to acquire an assurance
level association seems to me to just make the multiple registration issue
worse. Building a solution in terms of some kind of reputation service (TBD)
has always seemed like a better solution to me.

That aside, I don't think the general case -- which is what you would need to
address the sort of issue Dick is facing -- is soluble. I could be wrong, of
course, but the way to demonstrate that would be to show me an algorithm.
This is not the first time "just merge them" has been proposed as a solution
to this problem, but I've never seen anything more specific proposed.

-- Ian



Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page