for saml2int
-No more use of subject identifiers at the assertion level other than transients (for logout)
-No use of encrypted identifiers, if you want to support logout, you would use transient ID
-Only use attributes to carry identifiers in the assertion
-We don't expect support for non-string-based attributes any longer (precluding eduPersonTargetedID)
-SAML persistent ID cannot be used safely because it's case-sensitive, unworkable in many COTS applications
for R&E federations
-Use ePUID
-We NEED to codify/ratify the caseIgnoreMatch status, we probably need to further profile this to exclude Unicode scopes
-Use non-reassigned ePPN
THAT'S IT
Pairwise IDs offer ZERO legal protection under EU privacy law (this is not known to be true, but it's falseness is also unknown to be true), and come at a HUGE cost to deployers of IdPs and collaborative / research SPs.
SAML made an assumption that you'd just compare identifier strings, and it turns out that apps / implementations do not do this, they end up converting to all upper/all lower ('normalizing' case) and thus its existing solution for pairwise identifiers is dangerous and should be replaced if we still want pairwise ID.