<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello Denis,</p>
    <p>I think we are (or at least I am) currently thinking of the
      second option.</p>
    <p>Kind regards,<br>
      Cynthia Revström<br>
    </p>
    <div class="moz-cite-prefix">On 2019-01-07 12:34, denis walker
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:1093575589.22201399.1546860889344@mail.yahoo.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div style="color:#000; background-color:#fff;
        font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande,
        sans-serif;font-size:16px">
        <div id="yui_3_16_0_ym19_1_1546578800374_119920"><span
            id="yui_3_16_0_ym19_1_1546578800374_119963">So maybe we are
            thinking of something like this:</span></div>
        <div id="yui_3_16_0_ym19_1_1546578800374_119999"><span><br>
          </span></div>
        <div id="yui_3_16_0_ym19_1_1546578800374_119962"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">A MNTNER object
            that is created by the RIPE NCC and perhaps jointly
            maintained by the RIPE NCC and the LIR, that is created when
            a new LIR is established and includes the SSO auth of all
            listed (non-billing) LIR contacts.</span></div>
        <div id="yui_3_16_0_ym19_1_1546578800374_120038"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_120126"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">Each time a
            (non-billing) contact is added or removed from the LIR
            account the appropriate SSO auth is automatically added or
            removed from this MNTNER object.</span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_120149"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_120172"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">Automatic
            changes are only made to the MNTNER object when a change is
            made to the LIR user contact list, but not constantly
            synced. Then the LIR can optionally choose to manually
            remove any of the contacts from the MNTNER object and it
            won't automatically be re-synced.</span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_123589"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_123590"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">The LIR can
            choose if, when, where and how to use this MNTNER object.<br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125345"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125456"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">OR:</span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125457"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125458"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">A new auth
            option<br>
            auth: SSO-LIR no.foobar</span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125472"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125553"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961">where SSO-LIR is
            automatically expanded to include all the (selected) listed
            LIR (non-billing) contacts for no.foobar. There could be an
            option in the LIR portal to mark/flag which of the LIR
            contacts are to be included in the expanded list.</span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_125645"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"></span><br>
          <span id="yui_3_16_0_ym19_1_1546578800374_119961"><span
              id="yui_3_16_0_ym19_1_1546578800374_125622">The LIR can
              choose if, when, where and how to use this auth option.<br>
            </span></span></div>
        <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_135359"><span
            id="yui_3_16_0_ym19_1_1546578800374_119961"><br>
          </span></div>
        <div dir="ltr"><span id="yui_3_16_0_ym19_1_1546578800374_119961">cheers</span></div>
        <div dir="ltr"><span id="yui_3_16_0_ym19_1_1546578800374_119961">denis</span></div>
        <div dir="ltr"><span id="yui_3_16_0_ym19_1_1546578800374_119961">co-chair
            DB-WG</span></div>
        <div dir="ltr"><span id="yui_3_16_0_ym19_1_1546578800374_119961"></span></div>
        <div class="qtdSeparateBR"
          id="yui_3_16_0_ym19_1_1546578800374_119921"><br>
          <br>
        </div>
        <div class="yahoo_quoted"
          id="yui_3_16_0_ym19_1_1546578800374_119925" style="display:
          block;">
          <div style="font-family: Helvetica Neue, Helvetica, Arial,
            Lucida Grande, sans-serif; font-size: 16px;"
            id="yui_3_16_0_ym19_1_1546578800374_119924">
            <div style="font-family: HelveticaNeue, Helvetica Neue,
              Helvetica, Arial, Lucida Grande, Sans-Serif; font-size:
              16px;" id="yui_3_16_0_ym19_1_1546578800374_119923">
              <div dir="ltr" id="yui_3_16_0_ym19_1_1546578800374_119922">
                <font id="yui_3_16_0_ym19_1_1546578800374_119960"
                  size="2" face="Arial">
                  <hr id="yui_3_16_0_ym19_1_1546578800374_120179"
                    size="1"> <b><span style="font-weight:bold;">From:</span></b>
                  Cynthia Revström via db-wg <a class="moz-txt-link-rfc2396E" href="mailto:db-wg@ripe.net"><db-wg@ripe.net></a><br>
                  <b><span style="font-weight: bold;">To:</span></b>
                  Nick Hilliard <a class="moz-txt-link-rfc2396E" href="mailto:nick@foobar.org"><nick@foobar.org></a> <br>
                  <b><span style="font-weight: bold;">Cc:</span></b>
                  <a class="moz-txt-link-abbreviated" href="mailto:db-wg@ripe.net">db-wg@ripe.net</a><br>
                  <b><span style="font-weight: bold;">Sent:</span></b>
                  Monday, 7 January 2019, 11:54<br>
                  <b><span style="font-weight: bold;">Subject:</span></b>
                  Re: [db-wg] Idea: magic mntner for all LIR contacts<br>
                </font> </div>
              <div class="y_msg_container"
                id="yui_3_16_0_ym19_1_1546578800374_120178"><br>
                <div dir="ltr"
                  id="yui_3_16_0_ym19_1_1546578800374_120177">I think
                  the point of this maintainer issue was that if you
                  removed <br clear="none">
                  someone from the LIR auth list, they would also get
                  removed from the DB <br clear="none">
                  maintainer. I don't think that SSO-LIR should be the
                  standard, but it <br clear="none">
                  should be an option in my opinion.<br clear="none">
                  <br clear="none">
                  Because while what you are describing could be an
                  issue, I think it <br clear="none">
                  could be a bigger issue to forget to remove someone
                  from the SSO in the <br clear="none">
                  maintainer.<br clear="none">
                  <br clear="none">
                  Kind regards,<br clear="none">
                  Cynthia Revström<br clear="none">
                  <div class="yqt8769704300" id="yqtfd20858"><br
                      clear="none">
                    On 2019-01-07 11:48, Nick Hilliard wrote:<br
                      clear="none">
                    > Cynthia Revström via db-wg wrote on 07/01/2019
                    10:27:<br clear="none">
                    >> I think the current main suggestion is to
                    add a new DB auth scheme, <br clear="none">
                    >> such as "auth: SSO-LIR no.foobar" that
                    includes all the SSO accounts <br clear="none">
                    >> linked to the LIR except for Billing
                    accounts.<br clear="none">
                    ><br clear="none">
                    > Denis is just pointing out that it may not be
                    advisable to statically <br clear="none">
                    > tie this into a potentially inflexible
                    mechanism like the main LIR <br clear="none">
                    > authentication list.  You can be guaranteed
                    that if this were done, <br clear="none">
                    > someone would come along with a credible reason
                    to have a LIR account <br clear="none">
                    > with admin control over portal stuff, but not
                    direct DB control of a <br clear="none">
                    > specific object or set of objects.<br
                      clear="none">
                    ><br clear="none">
                    > One possible option to work around this
                    limitation would be to create <br clear="none">
                    > a new db object type, "sso-set", which could
                    contain a list of SSO <br clear="none">
                    > account names, e.g.:<br clear="none">
                    ><br clear="none">
                    > sso-set:  FOOBAR1-RIPE<br clear="none">
                    > descr:    List of SSO tokens for no.foobar<br
                      clear="none">
                    > members:  <a shape="rect"
                      ymailto="mailto:foo@example.com"
                      href="mailto:foo@example.com"
                      moz-do-not-send="true">foo@example.com</a><br
                      clear="none">
                    > members:  <a shape="rect"
                      ymailto="mailto:bar@example.org"
                      href="mailto:bar@example.org"
                      moz-do-not-send="true">bar@example.org</a><br
                      clear="none">
                    > mnt-by:   TBD1-RIPE<br clear="none">
                    > source:   RIPE<br clear="none">
                    ><br clear="none">
                    > Each LIR would be able to define sso-sets with
                    arbitrary contents and <br clear="none">
                    > tie them to objects, e.g. like this:<br
                      clear="none">
                    ><br clear="none">
                    > auth: SSO-SET FOOBAR1-RIPE<br clear="none">
                    ><br clear="none">
                    > There would need to be some thought put into
                    how to handle mnt-by: for <br clear="none">
                    > the sso-set object (quis custodiet ipsos
                    custodes)?<br clear="none">
                    ><br clear="none">
                    > Nick<br clear="none">
                    ><br clear="none">
                    <br clear="none">
                  </div>
                </div>
                <br>
                <br>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
  </body>
</html>