[WG-InfoSharing] Things to consider ...

Nat Sakimura sakimura at gmail.com
Wed Jan 30 23:37:51 EST 2013


... for the rechartering.

As I see, Standard label "protocol" has three maturity phases.

ph.1 - Just a text / graphical display. Human readable, but not quite
machine readable.
ph.2 - Machine readable structured data version. In this case, the
multi-lingual support becomes trivial.
ph.3 - Auto-negotiation between the client and the server. The
authorization server / user-agent
 stores the user preference and judges if the request falls into "ok" or
"ask" category.
 In the later case, the user will be prompted to review and give consent.

>From the operational point of view, the labels have to be stored at a
trusted archive.
Otherwise, the client may launch an attack to the users by changing the
labels and saying
that it was like that all the time and the user gave consent to it.

For this reason, it may be a good practice to have a trusted repository in
which the labels are stored,
and the IdP or Apps pulling the label from the repository to show it to the
user.
In case of IdP, the IdP can store the fact that the user gave consent at
such and such time,
so that it can be compared to the repository.
In case of an App that wants to pull the data from the device, it gets more
challenging.
It is probably better to have a local IdP and the Apps to interact with it,
but it is a long way to go.

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20130131/c317083f/attachment.html 


More information about the WG-InfoSharing mailing list