MACE-Dir Call 8-February-2010
**Attending**
Brendan Bellina, USC (chair)
Paul Hill, MIT
Eric Goodman, UC Santa Cruz
Michael Pelikan, The Penn State U.
Scott Cantor, The Ohio State U.
Michael Hodges, U. Hawaii
Steve Olshansky, Internet2 (scribe)
**Next call 22-Feb-2010 4:30 PM EST**
**Carryover Action Items**
[A] (All) Volunteers for working on surveys about managing people entries, attributes, and affiliations from non-authoritative sources, contact Keith.
[A] (Keith) will follow up on the REFEDs list conveying the sentiments expressed on the call today about the ePSA usage comparison.
[AI] (Mike) review the LocalDomainPerson survey results and the Shibboleth attribute naming documentation with an eye toward useful attributes to generalize, as a reference for naming guidelines and base attributes to propose.
http://middleware.internet2.edu/dir/localsurvey.html
http://middleware.internet2.edu/dir/docs/internet2-mace-dir-localdomainperson-200505.html
[AI] (RL "Bob") will craft a survey on use of the mail attribute and possible need for additional email attributes. This surfaced again at the recent TF-EMC2 meeting, in the context of a campus IdP serving Grid apps. E.g. what are RPs assuming?
[AI] (Brendan) will poll the mailing list for feedback on the use of name fields, and whether they have had the need to extend eduPerson locally with additional name fields.
[AI] (Brendan) will coordinate with the leaders of the Educause IdM Constituent Group, toward the goal of polling that group along with MACE-Dir for feedback on the use of commercial and open-source IdM products.
**Discussion**
Discussion of the allowed values of EPPN in relation to Kerberos usage (led by Paul Hill, MIT).
- Can an EPPN contain a Kerberos non-null instance principal (exp. pbh/root@MIT.EDU)
- Should a different attribute than EPPN be created for communicating Kerberos principals (null, non-null, and service)
- What is appropriate IdP behavior when someone authenticates with a non-null instance principal (exp. pbh/root@ATHENA.MIT.EDU)? Should the IdP assert the base EPPN (for this example, pbh@mit.edu)?
See for reference the OASIS document on this topic: "SAML V2.0 Kerberos Subject Confirmation Method Version 1.0" <http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-subject-confirmation-method-cd-01.pdf>
Moving into the SAML 2.0 world, in which an application can specify an authentication mechanism, brings this to the fore. A detailed discussion ensued...
EPPN is not Kerberos-aware per se, thus there is no eduPerson constraint to mapping EPPN, and there is no restriction on using a "/" on the left side. MIT doesn't want to pass this as the EPPN since EPPN has become so overloaded.
At MIT, the Kerberos namespace is scoped to the subdomain athena.mit.edu, while the namespace for assertions is mit.edu. The scope is issued by the underlying KDC and not by the Shib config files.
It was noted that originally EPPN was intended to be able to represent Kerberos, among others...
Should there be any new extension to eduPerson to indicate when someone has a separate Kerberos identifier, or should the Kerberos subject name be used? This would seem to be an example of a technology specific identifier that organizations would find useful.
The question arose of using slashes in LDAP, which is an issue for AD. Is it also an issue for other LDAP implementations? No other examples were cited on the call. URI-valued attributes can have slashes, as one example.
It was observed that if there is a use case for passing Kerberos principal names in the SAML context, it would need to be in an attribute.