[WG-P3] Towards a Unified Theory

Rainer Hörbe rainer at hoerbe.at
Fri Mar 11 09:31:34 EST 2011


Consent has several use cases, and it is not enough to transmit a consent in a SAML assertion for a generic concept:

a) The simple case is that the principal (in the sense of the authenticated user) and the data subject are identical, and consent is given for a specific transaction. Consent is an attribute in the SAML assertion.

b) Same as a), but consent is provided for a larger scope than the specific transaction, but for a specific RP. The RP needs to store the consent for future transactions.

c) Principal and data subject are the same, but multiple RPs involved. Consent must be stored by some agent, like the Authorization Manager in the UMA constellation.

d) Principal and data subject are different for a transaction. The principal (or RP) must query a consent repository. Patient consent is a typical use case. There are 2 relevant standards: IHE Basic Patient Privacy Consent (BPPC) and XACML to specify a privacy policy. The IHE stuff is heavily dependent on ebXML and HL7/CDA, thus it cannot be applied outside the eHealth domain. However, the use cases (implicit/explicit consent, wet/electronic signature etc.) are worthwhile to study.

- Rainer

Am 11.03.2011 um 14:24 schrieb Mark Lizar:

> 
> Hello All,
> 
> Last October at the Kantara Face 2 Face I presented on the efforts of  
> P3 and our move towards developing a privacy framework.  At the time  
> of the presentation we discussed liaising with different work groups  
> inside Kantara.
> 
> Since this time I have been thinking about what kind of liaison would  
> be useful and productive.  As I am currently working on summary of the  
> Consent and Notice Privacy principles for the PF-SG  (next week) and  
> considering the great thread that has revolved around discussing  
> terms, I thought I would maybe combine my deliverable with a bit of  
> information gathering.
> 
> John, is it possible to get more information (references) on the use  
> of Notice and Consent in SAML and SSO?  (If there is any in reference  
> to the data subject or Principal?)
> 
> Also, could I ask someone (like Ben Wilson) to provide a summary of  
> Consent and Notice in IAF?  e.g. References to the differences in  
> notice or consent at varying levels of Insurance?
> 
> I would be grateful for this type of help and I would like to include  
> this in the analysis I will be working on next week. (if possible)
> 
> Best Regards,
> 
> Mark Lizar
> P3 Secretary
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3



More information about the WG-P3 mailing list