[WG-IDAssurance] [WG-P3] Towards a Unified Theory
mark at smartspecies.com
Fri Mar 11 12:55:32 EST 2011
I think it is important to identify the consent models in use and the
A consent model I would guess would include consent for all things the
RP/SP may collect about the user?
Unless there is an explicit opt-out/in with exceptions that state
otherwise. At this time I believe there to be a big hole needing
better consent models that are more granular and standardised.
On 11 Mar 2011, at 15:20, John Bradley wrote:
> In general in SSO the IdP is not sending a explicit consent consent
> The IdP gathers consent from the user for returning the
> authentication assertion and some number of attributes.
> The consent is implicit in what the IdP returns.
> I think that scope is part of the question. Are we discussing just
> the identifier, the identifier and SSO attributes, or all things the
> RP/SP may collect about the user?
> John B.
> On 2011-03-11, at 12:13 PM, Jason Seto wrote:
>> for this discussion, are we specifically talking about consent as
>> it applies to the identity information that is being sent by the
>> IdP to the RP withing the message? too often i've seen a consent
>> topic derailed by different consents being combined into only one
>> "consent" which causes a lot of confusion.
>> On Fri, Mar 11, 2011 at 10:00 AM, John Bradley <ve7jtb at ve7jtb.com>
>> The idea with the consent indication in the authn request was to
>> allow the RP to collect the consent for the information release
>> before redirecting the user to the IdP. This needs a strong trust
>> relationship with the RP that may not exist in many cases.
>> I like the wayf consent system. It makes the problem of
>> retrofitting the individual IdP much easier.
>> However the proxy itself creates a new point to trust and protect.
>> I don't know that it is a universal solution.
>> The technical solutions will need to keep up with the policy.
>> With information cards(RIP) we tried to build notice and consent
>> directly into the protocol.
>> That however created as many problems as it solved in many ways.
>> John B.
>> On 2011-03-11, at 11:46 AM, David Simonsen wrote:
>> > Hello John, Mark,
>> > Sorry for jumping into the discussion - please find comments in-
>> > On Mar 11, 2011, at 2:58 PM, John Bradley wrote:
>> >> The only thing that talks about notice and consent in SAML is a
>> message that the SP can send to the IdP saying the user has already
>> consented. That is useful in some federations but a high level of
>> trust must exist with the SP/RP.
>> > IMHO consent to exchange of attributes must always happen
>> _before_ they are send to the SP.
>> > It does not make sense to ask the user for consent to data
>> exchange after the exchange has taken place.
>> > Please find a video presentation on user consent of how to
>> handle / manage user consents centrally (in hub-and-spoke
>> federations) at:
>> > http://wayf.dk/wayfweb/users'_consent_to_data_exchange.html in
>> the video archive: http://wayf.dk/wayfweb/video_archive.html
>> >> All of the user interface parts are outside of the spec. (With
>> the possible exception of the not widely used ECP client)
>> >> It is common practice for access to attributes to be negotiated
>> directly between the IdP and the SP and sent by configuration eg
>> SP x gets some fixed list of attributes every time. Or a separate
>> attribute query is performed directly between the SP and IdP
>> without user involvement.
>> >> This causes the user consent experience to be all over the place
>> with SAML.
>> >> In many cases there is no method of knowing what attributes the
>> RP/SP is asking for at the time of the user interacting with the IdP.
>> >> SAML supports requesting the attributes as part of the authn
>> request. The FICAM SAML profile strongly encourages this.
>> > The question is fundamentally about negotiation power and
>> adherence to the principle of minimal disclosure (SPs typically
>> want more user information than needed).
>> > Federation operators may suggest attribute release policies
>> (ARP's) in the federations' metadata, but IdPs may be pressed to
>> deliver what the SP requests (because of low IdP negotiation power
>> in p2p setups).
>> > In hub-and-spoke federations, with central proxy IdPs, it's not
>> only possible to enforce ARPs, the balance (proxy) IdP negotiation
>> power i far stronger. Feel free to have a look at http://wayf.dk/wayfweb/about_attributes.html
>> >> With openID there is a more consistent pattern of the IdP asking
>> for consent, this is more of a deployment choice by the IdP rather
>> than something inherent in the protocol.
>> >> None of the protocols support the sort of notice that the
>> privacy community is asking for. The IdP has no in-band way to
>> know what the SP is collecting the attribute for or what the
>> consequence of not providing it is.
>> > This is at the heart of the problem: SPs should only recieve
>> attributes which balance the purpose of the service delivered. Two
>> (legal) principles come into play: proportionality and minimal
>> >> The closest they come is a devision between required attributes
>> and optional attributes.
>> >> Though interpritations of those can vary as well.
>> >> Some IdP ignore optional attributes and never return them.
>> Leading RP/SP to make them all required.
>> >> Attributes are an area not covered in the IAF or in FICAM to any
>> extent. The existing frameworks concentrate almost exclusively on
>> the identifier. As the identifier may be the persons proofed name
>> and address in some systems, that is normally the extent of it.
>> >> John B
>> > Have a good weekend,
>> > David SImonsen
>> > David Simonsen
>> > Executive manager
>> > Phone: +45 31216152
>> > H. C. Andersens Boulevard 2
>> > DK-1553 København V
>> >> On 2011-03-11, at 10:24 AM, Mark Lizar wrote:
>> >>> Hello All,
>> >>> Last October at the Kantara Face 2 Face I presented on the
>> efforts of P3 and our move towards developing a privacy framework.
>> At the time of the presentation we discussed liaising with
>> different work groups inside Kantara.
>> >>> Since this time I have been thinking about what kind of liaison
>> would be useful and productive. As I am currently working on
>> summary of the Consent and Notice Privacy principles for the PF-SG
>> (next week) and considering the great thread that has revolved
>> around discussing terms, I thought I would maybe combine my
>> deliverable with a bit of information gathering.
>> >>> John, is it possible to get more information (references) on
>> the use of Notice and Consent in SAML and SSO? (If there is any in
>> reference to the data subject or Principal?)
>> >>> Also, could I ask someone (like Ben Wilson) to provide a
>> summary of Consent and Notice in IAF? e.g. References to the
>> differences in notice or consent at varying levels of Insurance?
>> >>> I would be grateful for this type of help and I would like to
>> include this in the analysis I will be working on next week. (if
>> >>> Best Regards,
>> >>> Mark Lizar
>> >>> P3 Secretary
>> WG-IDAssurance mailing list
>> WG-IDAssurance at kantarainitiative.org
>> WG-IDAssurance mailing list
>> WG-IDAssurance at kantarainitiative.org
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-IDAssurance