[WG-P3] [WG-IDAssurance] What to call a Relying Party in terms of aTrust Framework
ben at digicert.com
Thu Mar 10 19:30:37 EST 2011
Is this discussion part of the effort to develop a Trust Framework Meta
Model? If so, I understand the problem better nowit seems that the
challenge is related to what Rainer mentioned earlier that it is difficult
to map / cross-walk identity-related roles and terminologies in various
systems (PKI, SAML, Privacy) into a single concept domainlike the
difficulty Einstein had developing his unified field theory. But I suppose
we need write something that will make the whole picture a little more
clear. I like the use of meta-tags (e.g. <saml:Issuer>). Maybe we ought to
create a new set of cross-federation metatags as part of the Trust Framework
Meta Model? If Im off base on my understanding of where were going, let
me know, but maybe we throw out the lower level glossaries and start fresh
with words that are tailored to the issues were trying to address (unless
an underlying term is congruent with 90% or more of what were trying to
From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of John
Sent: Thursday, March 10, 2011 3:37 PM
To: Patrick Curry
Cc: Richard G. WILSHER (Zygma); IA WG; Tom Smedinghoff; Kantara P3WG
Subject: Re: [WG-IDAssurance] [WG-P3] What to call a Relying Party in terms
of aTrust Framework
Principal in SAML refers to the entity who gets authenticated.
The <saml:Subject> contains an identifier for the Principal.
In the SSO case that is the user and data subject.
However SAML assertions are also used other places where it is used by
something that may Data Processor to gain access to something like a OAuth
resource or WS-* service in that case the <saml:Issuer> may also be the
I think the Subject/Principal terminology is accurate for the scope of the
assertion, however I think people are referring to higher level entities.
In SAML the Data Processor, Data Subject and the Data Controller could all
be Principals in a given assertion depending on the flow.
The common case us the Data Subject/User is the Principal. Though I am
willing to bet people will point out that at a application level the user
and Data Subject may be different as well:)
I just want people to understand the terms may have different uses in
On 2011-03-10, at 4:46 PM, Patrick Curry wrote:
I like your thinking. When is a Data Subject not a Principal and when is
that important, or is it more complicated than that?
Clarion Identity Ltd
M: +44 786 024 9074
T: +44 1980 620606
<mailto:patrick.curry at clarionidentity.com>
patrick.curry at clarionidentity.com
Internet communications are not secure and therefore Clarion Identity
Limited, Rock House, SP3 4JY does not accept legal responsibility for the
contents of this message. Any views or opinions presented are solely those
of the author and do not necessarily represent those of Clarion Identity
Limited unless otherwise specifically stated. If this message is received by
anyone other than the addressee, please notify the sender and then delete
the message and any attachments from your computer.
On 10 Mar 2011, at 18:28, Mark Lizar wrote:
Yes, I see the limits of the term principle..
Personally, I like Master Controller, but it suffers from the same
sort of limitations. I think in a privacy perspective Master
Controller may be incredibly useful as a technical term but that is
just my opinion.
In reality even data subject has semantical issues as a term and maybe
even a blurring of terminological meaning at an attribute level.
The significant difference is that Data Subject, Data Controller, and
Data Processor are entrenched legally and therefore have some
Either way, it seems, terms need to find a way to be mapped by
something like an agreed standard.
On 10 Mar 2011, at 17:19, John Bradley wrote:
Principal is used in the protocol domain to refer to entity that the
assertion is about.
In many cases it is the same as Data Subject but as assertions can
be used for many things that is not always true.
On 2011-03-10, at 11:41 AM, Rainer Hörbe wrote:
Am 10.03.2011 um 12:26 schrieb Mark Lizar:
In Data Protection, there are Roles: Controller, Processor and
I am only familiar with the terminology from the European DPD:
Controller, Processor, Requester and Data subject. In which domain
is Principle defined, and how does it map?
WG-P3 mailing list
WG-P3 at kantarainitiative.org
WG-IDAssurance mailing list
WG-IDAssurance at kantarainitiative.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5403 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-p3/attachments/20110310/1baec3e5/attachment-0001.bin
More information about the WG-P3