*MACE-Dir Conference Call* January 20, 2003 *Participants* Keith Hazelton -- Wisconsin (chair) Brendan Bellina -- Notre Dame Scott Cantor -- OSU Steven Carmody -- Brown Ken Klingenstein -- Colorado/Internet2 Landy Manderson -- UAB Bob Talda -- Cornell Ann West -- EDUCAUSE/Internet2 Nate Klingenstein -- Internet2 (scribe) *Discussion* Shibboleth & eduPersonEntitlement Shibboleth pilots have been pioneering the interrealm use of the attribute eduPersonEntitlement and facing several implementational questions. As Scott noted, "whenever you define something as an opaque string, you're deferring a lot of discussion." There is now a need to understand the strategies with regard to storing and managing this information. The distinction between what MACE-Dir says as the official designers of eduPerson and as advisors to deployers was carefully defined. Officially, the only concern is that eduPersonEntitlement is characterized as opaque and populated with properly formed URIs. However, once the string is actually used, it becomes useful and important to consider it parsable. Shibboleth is already allowing pilots to partially parse and search this field, which has been natural and useful. Questions also arose over the scope of MACE-Dir's involvement once the attribute leaves the directory. Should the group decide conflicts over whether these strings are supposed to contain information of relevance to the target or origin, or is that a Shibboleth issue? Target sites have generally expressed a desire to have some degree of control over the usage of these strings. Similar delegated management issues are expected to arise in the near-term. The initial consensus reached by the group is that it's up to the parties setting up the relationship to work out any further structures about parsing and definition. The federation may also be a component in defining how attributes are utilized by its members, which provides ample opportunity for further layering of the problem space. This will also provide an opportunity to empirically see how this is naturally handled and whether it's a sufficient solution. [AI] Keith offered to draft some language to express MACE-Dir's position on the population of eduPersonEntitlement. Attribute Scoping & Multiple Origins Confronting the problem of how to assert that Steven Carmody of Brown University is a member of IEEE, the group first split the issues into the separate questions of how to appropriately scope a set of asserted attributes and the question of how to assert attributes from multiple origins about the same principle. The group noted the important consideration that the relying party is the arbiter of policy when it comes to allowing access to its resources, and it must be the one to understand the assertions. Given that eduPerson as it stands is a broadly-deployed object class, it's difficult to change the meanings or population of established attributes without potentially causing troubles for existing sites. While affiliation is the cardinal example, given that an affiliation virtually always needs a scope to have meaning, similar issues are likely to arise with other attributes. There are several ways that eduPerson could be moved towards an explicit scope, and [AI] Keith volunteered to capture the options and offer many people the chance to weigh in on this properly to the list. The Liberty Alliance specifications provide for a means for an origin to express an established identity link to a target, allowing the target to utilize that mapping to request information of a second origin. This means that if a relying party wants to know about the IEEE membership of Brown University member Steven Carmody, it asks the Brown discovery service to give it credentials that allow it to contact the IEEE attribute provider in such a way that the user's privacy is respected. While it was intended for this method to be used with more permanent, established relationships, Scott could see no reason why it couldn't be adapted to the Shibboleth model of attribute release based on temporary handles. Shibboleth doesn't require any proof to ask about a user other than a delivered token and familiarity with the requestor, while the Liberty Alliance requires the requestor to establish its right to ask the question by presenting additional credentials. *Action Items* 1. Keith offered to draft some language to express MACE-Dir's position on the population of eduPersonEntitlement. 2. Keith volunteered to capture the possible ways to explicitly scope eduPerson attributes.