« Revised DCAM and DC-RDF available | Main | Describing your del.icio.us tags »

April 17, 2007

When persistence has a sell-by date

I note that Nicole Harris at JISC has started the JISC Access Management Team Blog... good stuff and a welcome addition to the UK HE blog landscape.  In her posting entitled The Accountability Question she notes that The Rules of the UK Federation (section 6.4.2) state that:

where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months;

I remember reading this guidance during the comment period on the various policy documents that came out at the start of the UK Federation - it struck me then as rather odd.  Any sentence that starts with 'unique peristent' and ends with 'not re-issued ... for at least 24 months' has got to ring alarm bells somewhere hasn't it?

Why 24 months?  Less than the period for which most students are at university!  The problem, or so it seems to me, is that any service provider that wants to make use of these attributes can't rely on them being persistent even for as long as the student is typically at university.  As a result, service providers will presumably have to find some other way of guaranteeing that the person they are dealing with today is the same of the person they were dealing with yesterday, at least for any unique persistent attribute that is nearing its second birthday :-(

I'm tempted to ask why any time limit is suggested?  Why not simply say that these attributes must never be re-used?  Presumably some institutions have problems ensuring that they do not re-use their local usernames and so on.  But so what?!  Generate a truly unique persistent handle for the user in some way (a UUID or something) and associate it with the local username thru some kind of look-up table.

That way you can easily guarantee that these identifiers will never be re-used.  Am I missing something obvious here?


TrackBack URL for this entry:

Listed below are links to weblogs that reference When persistence has a sell-by date:


Hi Andy. Good points. The current statement does not make it clear that the policy means atleast not to reissue 24 months *after credentials have been revocated from the original user* I will suggest a word change on that one.

I agree that it would be great if identfiers were not reassigned, but current practice in most universities is to reassign...so we need a policy to cope with this reality. This is particular true with e-mail addresses, which are often reused. A UUID would not help in the situations where an e-mail address is passed as an attribute, and we need to be able to assert that this is currently 'unique' and correct for that user, as well as truly persisent identifiers such as eduPersonTargetedID.

These shades of application will refine as time goes on. 'Unique' and 'persistent' can more easily be applied to non-personal identifiers such as TargetedID...but these words are perhaps wrong for other attributes, such as PrincipleName. Perhaps something along the lines of 'current or live registered'?? Definitely something for further debate.

The comments to this entry are closed.



eFoundations is powered by TypePad