[Wg-egov] FW: [security-services] SAML deployments that use consent step?

Robin Wilton futureidentity at fastmail.fm
Tue Nov 10 06:23:52 EST 2009 

I tend to agree with Søren Peter - consent in general is something worth
doing more to include, rather than omit.

Thinking back to the early days of Liberty (though Conor will remember
more of this than I do), its specification of the "User Interaction"
mechanism (for asking the user, on an attribute-by-attribute bases)
details of consent (this time only, always, never, always ask...) was
excellent but ahead of its time. I think since then (2002-2003...)
awareness has been growing that attribute-level disclosure management is
increasingly relevant.

Wouldn't it be tragic if the general user culture finally swung round to
attribute-level consent and we didn't have anything to offer?

R

On Tue, 10 Nov 2009 07:05 +0100, "Søren Peter Nielsen" <spn at itst.dk>
wrote:
> Denmarks OIOSAML profile requires the consent attribute included when
> making an attributeQuery for personally sensistive data. However, I am
> not sure though whether consent is being used in any Danish
> deployments... Currently AttributeQuery is only being used in some scale
> for requesting roles in a context where the requested data are not
> considered personally sensitive.
> 
> Consent in general is a thing we want to support better with
> IT-technology - Several avenues are on the plate. Depending on where the
> momentum comes use of the SAML consent feature  may or may not swindle
> away from the profile, but we do not have clarity about this yet.
> 
> /Søren P
> ________________________________________
> From: wg-egov-bounces at kantarainitiative.org
> [wg-egov-bounces at kantarainitiative.org] On Behalf Of Colin Wallis
> [Colin.Wallis at dia.govt.nz]
> Sent: Tuesday, November 10, 2009 3:25 AM
> To: 'Kyle Meadors'; wg-egov at kantarainitiative.org
> Subject: Re: [Wg-egov] FW: [security-services] SAML deployments that use
> consent        step?
> 
> Yep, I'm following it as best I can with an already overflowing
> mailbox..:-)
> 
> I'm pretty sure NZ uses the Consent attribute in our deployment. We
> absolutely deploy consent, so I just need to double check that it does it
> using the Consent attribute.
> 
> I think Denmark does too.
> 
> Cheers
> Colin
> 
> -----Original Message-----
> From: wg-egov-bounces at kantarainitiative.org
> [mailto:wg-egov-bounces at kantarainitiative.org] On Behalf Of Kyle Meadors
> Sent: Tuesday, 10 November 2009 1:17 p.m.
> To: wg-egov at kantarainitiative.org
> Subject: [Wg-egov] FW: [security-services] SAML deployments that use
> consent step?
> 
> There is an interesting discussion occurring on the SSTC list on the
> practical merits and use of the user consent feature within SAML. Below
> is
> just one of many emails in the discussion
> (http://lists.oasis-open.org/archives/security-services/200911/threads.html)
> .
> 
> The eGov profile has the Consent attribute being a MUST support within
> IdP
> AuthnResponse and we tested in the previous SAML IOP test event. However,
> several have commented that they are not aware of its use within the
> real-world.
> 
> I think it is always a good for authors of profiles and test plans to
> periodically question the validity of their requirements. So just asking,
> is
> it worth keeping this in our profile and also testing it within the KI
> program?
> 
> Kyle Meadors
> DGI
> 
> * * * * * * * * * * * * * * * * * * * * * * * *
> CONFIDENTIALITY DISCLAIMER
> This email, including attachments, is confidential and proprietary. It
> constitutes exclusive communication solely to the addressee. Any entity
> other than the intended addressee is prohibited from use of this
> communication for any purpose. This email, including attachments, may not
> be
> distributed, whole or in part.
> * * * * * * * * * * * * * * * * * * * * * * * *
> 
> -----Original Message-----
> From: Cahill, Conor P [mailto:conor.p.cahill at intel.com]
> Sent: Monday, November 09, 2009 4:12 PM
> To: Josh Howlett; Scott Cantor
> Cc: 'Paul Madsen'; 'oasis sstc'
> Subject: RE: [security-services] SAML deployments that use consent step?
> 
> The consent flag came about when some members of the Public Policy EG
> within
> Liberty thought that it was useful to have a positive indicator from the
> RP that it had, in fact, gathered consent to the user before attempting
> the
> federation.  I argued against that saying that the existence of the
> request
> was good enough proof that the RP believed it was acting under user
> consent.
> This was another one that I lost (amongst many).
> 
> The basic model around an RP obtaining consent from the user is where the
> IdP has a relationship with the RP such that it trusts the RP to obtain
> consent from the user for a federation and/or SSO event before submitting
> the request.  In such cases, allowing the RP to indicate that they have
> obtained consent can relieve the IdP from having to perform its own check
> with the user for consent to establish a new relationship with the RP.
> 
> This level of relationship is usually based upon legally binding
> agreements
> that govern the behavior of the RP and, to some extent, treat the RP as
> an
> extension of the IdP for the purpose of obtaining consent.
> 
> In other cases, where you don't have that level of trust of the RP, the
> IdP will perform its own consent checks with the user (or will operate
> under
> some other out-of-band mechanism re: consent -- this is typically what is
> understood in the business-to-employee environment where the employee is
> assumed to have already given consent to the employer to federate the
> users
> identity amongst the systems running the organization and individual
> consents from the user aren't necessary).
> 
> Conor
> 
> -----Original Message-----
> From: Josh Howlett [mailto:josh.howlett at gmail.com]
> Sent: Monday, November 09, 2009 5:00 PM
> To: Scott Cantor
> Cc: Josh Howlett; 'Paul Madsen'; 'oasis sstc'
> Subject: Re: [security-services] SAML deployments that use consent step?
> 
> On 9 Nov 2009, at 21:41, Scott Cantor wrote:
> > Josh Howlett wrote on 2009-11-09:
> >> While we're on the subject, I've always been a bit puzzled about the
> >> use-cases for the consent identifiers; in particular, why an RP might
> >> care whether consent has been given or not.
> >
> > They're for auditing, essentially. You get a signed document
> > indicating
> > something about consent so you can point the finger later.
> 
> Ok. In the EU consent is irrelevant as far as an RP is concerned, as
> the IdP is liable by default when TSHTF. I can't think of a scenario
> where an RP would need to retrospectively demonstrate consent.
> 
> > The more bizarre use case to me was always why an IdP would care about
> > consent
> 
> You'll need to expand on that for me. When does an IdP receive a
> consent identifier?
> 
> josh.
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> _______________________________________________
> Wg-egov mailing list
> Wg-egov at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-egov
> ====
> CAUTION:  This email message and any attachments contain information that
> may be confidential and may be LEGALLY PRIVILEGED. If you are not the
> intended recipient, any use, disclosure or copying of this message or
> attachments is strictly prohibited. If you have received this email
> message in error please notify us immediately and erase all copies of the
> message and attachments. Thank you.
> ====
> _______________________________________________
> Wg-egov mailing list
> Wg-egov at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-egov
> 
> _______________________________________________
> Wg-egov mailing list
> Wg-egov at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-egov
Robin Wilton

Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance


www.futureidentity.eu
+44 (0)705 005 2931
====================================================================
Structured consulting on digital identity, privacy and public policy
====================================================================
Future Identity is a limited company number 6777002, registered in England & Wales

More information about the Wg-egov mailing list