[WG-InfoSharing] Things to consider ...
sakimura at gmail.com
Wed Jan 30 23:37:51 EST 2013
... for the rechartering.
As I see, Standard label "protocol" has three maturity phases.
ph.1 - Just a text / graphical display. Human readable, but not quite
ph.2 - Machine readable structured data version. In this case, the
multi-lingual support becomes trivial.
ph.3 - Auto-negotiation between the client and the server. The
authorization server / user-agent
stores the user preference and judges if the request falls into "ok" or
In the later case, the user will be prompted to review and give consent.
>From the operational point of view, the labels have to be stored at a
Otherwise, the client may launch an attack to the users by changing the
labels and saying
that it was like that all the time and the user gave consent to it.
For this reason, it may be a good practice to have a trusted repository in
which the labels are stored,
and the IdP or Apps pulling the label from the repository to show it to the
In case of IdP, the IdP can store the fact that the user gave consent at
such and such time,
so that it can be compared to the repository.
In case of an App that wants to pull the data from the device, it gets more
It is probably better to have a local IdP and the Apps to interact with it,
but it is a long way to go.
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-InfoSharing