### Possible scenarios

... E. A user (or agent service) is in possession of statically-assigned credentials (an identity + zero-or-more attributes).

### Possible conclusion:

A. We only reference in our profile possible ways of retrieving either ACs or SAML assertions (e.g. by pointing to the SAML-request document that is in public comment currently as mentioned earlier). We do not intend to profile how exactly a user gets its attributes.

B. If we agree on A - we indirectly agree on attribute push since in the attribute pull mode - for interoperability reasons - the interface of getting attributes must be known so that the middleware can contact it on behalf of the user!

C. We deal with RFC ACs

D. We deal with SAML assertions

E. We only consider C+D in the first iteration of the profile

We would prefer to begin with A (which implies B). We can always layer an agreement for attribute/token aquisition at a later date if the world demands a pull-style mode. -Duane