[WG-P3] [WG-IDAssurance] What to call a Relying Party in terms of aTrust Framework

Ben Wilson ben at digicert.com
Thu Mar 10 19:30:37 EST 2011

Is this discussion part of the effort to develop a Trust Framework Meta
Model?  If so, I understand the problem better now—it seems that the
challenge is related to what Rainer mentioned earlier – that it is difficult
to map / cross-walk identity-related roles and terminologies in various
systems (PKI, SAML, Privacy) into a single concept domain—like the
difficulty Einstein had developing his unified field theory.  But I suppose
we need write something that will make the whole picture a little more
clear.  I like the use of meta-tags (e.g. <saml:Issuer>).  Maybe we ought to
create a new set of cross-federation metatags as part of the Trust Framework
Meta Model?   If I’m off base on my understanding of where we’re going, let
me know, but maybe we throw out the lower level glossaries and start fresh
with words that are tailored to the issues we’re trying to address (unless
an underlying term is congruent with 90% or more of what we’re trying to


From: wg-idassurance-bounces at kantarainitiative.org
[mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of John
Sent: Thursday, March 10, 2011 3:37 PM
To: Patrick Curry
Cc: Richard G. WILSHER (Zygma); IA WG; Tom Smedinghoff; Kantara P3WG
Subject: Re: [WG-IDAssurance] [WG-P3] What to call a Relying Party in terms
of aTrust Framework


Principal in SAML refers to the entity who gets authenticated. 


The <saml:Subject> contains an identifier for the Principal.


In the SSO case that is the user and data subject.


However SAML assertions are also used other places where it is used by
something that may Data Processor to gain access to something like a OAuth
resource or WS-* service in that case the <saml:Issuer> may also be the


I think the Subject/Principal terminology is accurate for the scope of the
assertion, however I think people are referring to higher level entities.


In SAML the Data Processor, Data Subject and the Data Controller could all
be Principals in a given assertion depending on the flow.


The common case us the Data Subject/User is the Principal.  Though I am
willing to bet people will point out that at a application level the user
and Data Subject may be different as well:)


I just want people to understand the terms may have different uses in
different scopes.


John B.

On 2011-03-10, at 4:46 PM, Patrick Curry wrote:



I like your thinking.  When is a Data Subject not a Principal and when is
that important, or is it more complicated than that?



Patrick Curry


Clarion Identity Ltd
M:   +44 786 024 9074
T:   +44 1980 620606
 <mailto:patrick.curry at clarionidentity.com>
patrick.curry at clarionidentity.com

Internet communications are not secure and therefore Clarion Identity
Limited, Rock House, SP3 4JY does not accept legal responsibility for the
contents of this message. Any views or opinions presented are solely those
of the author and do not necessarily represent those of Clarion Identity
Limited unless otherwise specifically stated. If this message is received by
anyone other than the addressee, please notify the sender and then delete
the message and any attachments from your computer.



On 10 Mar 2011, at 18:28, Mark Lizar wrote:


Yes, I see the limits of the term principle..

Personally, I like Master Controller, but it suffers from the same  
sort of limitations.   I think in a privacy perspective Master  
Controller may be incredibly useful as a technical term but that is  
just my opinion.

In reality even data subject has semantical issues as a term and maybe  
even a blurring of terminological meaning  at an attribute level.   
The  significant difference is that Data Subject, Data Controller, and  
Data Processor are entrenched legally and therefore have some  
recognised authority.

Either way, it seems, terms need to find a way to be mapped by  
something like an agreed standard.

- Mark

On 10 Mar 2011, at 17:19, John Bradley wrote:

Principal is used in the protocol domain to refer to entity that the  

assertion is about.

In many cases it is the same as Data Subject but as assertions can  

be used for many things that is not always true.


John B.

On 2011-03-10, at 11:41 AM, Rainer Hörbe wrote:



Am 10.03.2011 um 12:26 schrieb Mark Lizar:


In Data Protection, there are Roles: Controller, Processor and  



I am only familiar with the terminology from the European DPD:  

Controller, Processor, Requester and Data subject. In which domain  

is Principle defined, and how does it map?


- Rainer


WG-P3 mailing list

WG-P3 at kantarainitiative.org



WG-IDAssurance mailing list
WG-IDAssurance at kantarainitiative.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110310/1baec3e5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5403 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-p3/attachments/20110310/1baec3e5/attachment-0001.bin 

More information about the WG-P3 mailing list