When persistence has a sell-by date
I note that Nicole Harris at JISC has started the JISC Access Management Team Blog... good stuff and a welcome addition to the UK HE blog landscape. In her posting entitled The Accountability Question she notes that The Rules of the UK Federation (section 6.4.2) state that:
where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months;
I remember reading this guidance during the comment period on the various policy documents that came out at the start of the UK Federation - it struck me then as rather odd. Any sentence that starts with 'unique peristent' and ends with 'not re-issued ... for at least 24 months' has got to ring alarm bells somewhere hasn't it?
Why 24 months? Less than the period for which most students are at university! The problem, or so it seems to me, is that any service provider that wants to make use of these attributes can't rely on them being persistent even for as long as the student is typically at university. As a result, service providers will presumably have to find some other way of guaranteeing that the person they are dealing with today is the same of the person they were dealing with yesterday, at least for any unique persistent attribute that is nearing its second birthday :-(
I'm tempted to ask why any time limit is suggested? Why not simply say that these attributes must never be re-used? Presumably some institutions have problems ensuring that they do not re-use their local usernames and so on. But so what?! Generate a truly unique persistent handle for the user in some way (a UUID or something) and associate it with the local username thru some kind of look-up table.
That way you can easily guarantee that these identifiers will never be re-used. Am I missing something obvious here?