[WG-IDAssurance] RP Privacy Use cases

Kenneth.Dagg at tbs-sct.gc.ca Kenneth.Dagg at tbs-sct.gc.ca
Wed Mar 23 13:56:49 EDT 2011 

In my understanding of SAML V2 these two use cases can, from a technical perspective, be accommodated.  Whether products exist that implement these protocols is another question.

The first is handled by AuthzDecisionQuery which is designed to answer, "should actions on this resource be allowed for this subject, given this evidence?".  The second is handled by AttributeQuery which is designed to return the requested attributes for a specific subject.

The AuthzDecisionQuery query includes Evidence parameters which are the means of the SP passing attributes to the IdP for verification..

Ken

Kenneth Dagg
Senior Project Co-ordinator | Coordonnateur de projet supérieur
Security & Identity Management | Sécurité et gestion de l'identité
Chief Information Officer Branch | Direction du dirigeant principal de l'information
Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada
Ottawa, Canada K1A 0R5
Kenneth.Dagg at tbs-sct.gc.ca
Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-952-3820 / Teletypewriter | Téléimprimeur 613-957-9090
Government of Canada | Gouvernement du Canada



-----Original Message-----
From: wg-idassurance-bounces at kantarainitiative.org [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of John Bradley
Sent: March 23, 2011 12:17 PM
To: Bill Braithwaite
Cc: wg-idassurance at kantarainitiative.org
Subject: Re: [WG-IDAssurance] RP Privacy Use cases

The problem is that in most of not all open protocols the SP has no way to pass the attributes to the IdP for verification.

SAML, IMI, u-prove, openID 2.0 are premised on asking for claims in a very simple key value way.

In openID ABC we are looking at being able to pass parameters for claims to the IdP so that you could do something like:

Age > 19
Street = "123 4th ST"

Until something like that catches on the Trust Framework may have to be the indicator that the RP/SP already has some attributes.

John B.

On 2011-03-23, at 12:01 PM, Bill Braithwaite wrote:


	
	As requested, I suggested that the use cases should include 2 different types of interaction with the CSP; one where the RP provides the attributes and asks for verification of identity, the other where the RP is asking for attributes about an identity that it does not already have.
	Regards,
	Bill
	 
	William R. "Bill" Braithwaite, MD, PhD, FACMI
	Chief Medical Officer
	Anakam, an Equifax company
	Washington, DC  20002
	O: +1(202)543-6937 | M: +1(202)669-9444
	bbraithwaite at anakam.com | www.anakam.com <http://www.anakam.com/> 
	 
	 
	_______________________________________________
	WG-IDAssurance mailing list
	WG-IDAssurance at kantarainitiative.org
	http://kantarainitiative.org/mailman/listinfo/wg-idassurance

More information about the WG-IDAssurance mailing list