InCommon Technical Discussions

["Bellina, Brendan" <>]

Keith,

I disagree with the characterization that eppn permitting reassignment was a 
mistake.  It would not have been adopted as rapidly as it was had it been 
non-reassignable. Most Universities populated it based on name-based friendly 
user accounts and the need for reassignability in such circumstances was a 
given.  Without the broad adoption of eppn we would have likely never have 
gotten out of InQueue.  The mistake I think was allowing it to be a 
name-based identifier. That was a small convenience with high cost.
 
Regards,

Brendan Bellina, IdM Architect
UCLA Information Technology Services
✉ 

   ☏ +1 310 206 3131

On 6/8/17, 8:43 AM, 
"
 on behalf of Keith Hazelton" 
<
 on behalf of 
>
 wrote:

    Alan,
    
    One critical additional required characteristic of what you call a 
persistent identifier is that it must never be reassigned. That is, any given 
identifier value will be associated with a specific individual and it will 
never be ‘recycled’ and assigned to a different person.
    
    The failure to include non-reassignability in the list of required 
properties of the eduPersonPrincipalName (ePPN) attribute was, in hindsight, 
a serious mistake. A significant number of Service Providers (SPs) have 
decided that ePPN is not a satisfactory identifier for their purposes, 
primarily because of the lack of a normative reassignment. Operators of those 
SPs notably include a number of science-VOs and the ORCID organization.
    
    Add to this Scott Koranda’s recent email about the continuing challenge 
that science VOs face around arranging suitable attribute release policies 
from institutional IdPs. Taken together they suggest that science VOs and SPs 
with similar requirements see very little reliable information coming from 
institutional IdPs, neither identifiers nor attributes.
    
    I think the educational institution-based identity federation community 
should take this trend seriously. If that community chooses to do nothing, 
the long term consequence is likely to be that campus IdPs will end up 
playing no role in the support of Science VO activities.
    
               --Keith
    ________________________________
    On 2017-06-08, 09:02, "Alan Buxey" 
<>
 wrote:
    
        default attribute release policy is something that several federations
        are looking into.  I think the approach should be fairly simple and
        obvious
        eg if the SP is doing everything required (best practice) by the
        federation eg secure and decent code of conduct (e.g. think both
        'sirtfy' and Code of Conduct 'CoCo'),
        has a working/operating contact point, privacy policy etc then the
        basic pair of 'persistent ID and affiliation' should be a fair default
        release for any IdP.
        for more than that (eg real name of user, date of birth etc) then
        there would need to be further/enhanced practices - SP Level of
        Assurance system
        as then dealing with PPI .  some may feel that e.g. CoCo should cover
        an SP to a higher level(?) e.g. real name and/or email - thus allowing
        WIKIs etc
        to have full account information population
        
        alan