- From: Albert Lunde <atlunde@panix.com>
- Date: Fri, 25 Sep 2015 11:45:31 -0500
- To: Dave Longley <dlongley@digitalbazaar.com>, Dave Raggett <dsr@w3.org>, Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Martin Paljak <martin.paljak@ria.ee>, public-web-security@w3.org
On 9/25/2015 8:48 AM, Dave Longley wrote:
> I think it would be better to create short-lived bearer credentials in
> these situations. An Issuer can create one of these or an Issuer or
> trusted "anonymizer" service could convert a long-lived credential into
> one of these and then give it to the User.
There's a thread about short-term vs long-term identifiers running on
the "MACE-Dir" list
["MACE-Dir] Identifiers in a federated world Was: [InC] in what sense
is attribute release a requirement?"
This is in the context of shibboleth and SAML2 which has the ability to
create either anonymous sessions, per vendor ids, or release globally
unique more-or-less-public attributes like e-mail or eduPersonPrincipalname.
The experience with service providers seems to be that they want
long-lived identifiers to create user profiles.
This is often used with commercial vendors (like library resources) or
virtual organizations spanning several institutions. But typically
there's some prior relationship between the organizations if not with
the individual.
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Friday, 25 September 2015 16:45:55 UTC