[WG-P3] Towards a Unified Theory

John Bradley ve7jtb at ve7jtb.com
Fri Mar 11 10:00:16 EST 2011


The idea with the consent indication in the authn request was to allow the RP to collect the consent for the information release before redirecting the user to the IdP.   This needs a strong trust relationship with the RP that may not exist in many cases.

I like the wayf consent system.   It makes the problem of retrofitting the individual IdP much easier.
However the proxy itself creates a new point to trust and protect.  I don't know that it is a universal solution.

The technical solutions will need to keep up with the policy.

With information cards(RIP) we tried to build notice and consent directly into the protocol.  
That however created as many problems as it solved in many ways.

John B.
On 2011-03-11, at 11:46 AM, David Simonsen wrote:

> Hello John, Mark,
> 
> Sorry for jumping into the discussion - please find comments in-line:
> 
> On Mar 11, 2011, at 2:58 PM, John Bradley wrote:
>> The only thing that talks about notice and consent in SAML is a message that the SP can send to the IdP saying the user has already consented.  That is useful in some federations but a high level of trust must exist with the SP/RP.
> 
> IMHO consent to exchange of attributes must always happen _before_ they are send to the SP.
> It does not make sense to ask the user for consent to data exchange after the exchange has taken place.
> Please find a video presentation on user consent of how to handle / manage user consents centrally (in hub-and-spoke federations) at:
> http://wayf.dk/wayfweb/users'_consent_to_data_exchange.html in the video archive: http://wayf.dk/wayfweb/video_archive.html
> 
>> All of the user interface parts are outside of the spec. (With the possible exception of the not widely used ECP client)
>> 
>> It is common practice for access to attributes to be negotiated directly between the IdP and the SP and sent by configuration eg  SP x gets some fixed list of attributes every time.   Or a separate attribute query is performed directly between the SP and IdP without user involvement.
>> 
>> This causes the user consent experience to be all over the place with SAML.  
>> In many cases there is no method of knowing what attributes the RP/SP is asking for at the time of the user interacting with the IdP.
>> 
>> SAML supports requesting the attributes as part of the authn request.  The FICAM SAML profile strongly encourages this.
> 
> The question is fundamentally about negotiation power and adherence to the principle of minimal disclosure (SPs typically want more user information than needed).
> 
> Federation operators may suggest attribute release policies (ARP's) in the federations' metadata, but IdPs may be pressed to deliver what the SP requests (because of low IdP negotiation power in p2p setups).
> In hub-and-spoke federations, with central proxy IdPs,  it's not only possible to enforce ARPs, the balance (proxy) IdP negotiation power i far stronger. Feel free to have a look at http://wayf.dk/wayfweb/about_attributes.html
> 
>> With openID there is a more consistent pattern of the IdP asking for consent,  this is more of a deployment choice by the IdP rather than something inherent in the protocol.
>> 
>> None of the protocols support the sort of notice that the privacy community is asking for.  The IdP has no in-band way to know what the SP is collecting the attribute for or what the consequence of not providing it is.
> 
> This is at the heart of the problem:  SPs should only recieve attributes which balance the purpose of the service delivered. Two (legal) principles come into play: proportionality and minimal disclosure.
> 
>> The closest they come is a devision between required attributes and optional attributes.
>> Though interpritations of those can vary as well.
>> 
>> Some IdP ignore optional attributes and never return them.  Leading RP/SP to make them all required.
>> 
>> Attributes are an area not covered in the IAF or in FICAM to any extent.  The existing frameworks concentrate almost exclusively on the identifier. As the identifier may be the persons proofed name and address in some systems, that is normally the extent of it.
>> 
>> John B
> 
> Have a good weekend,
> 
> David SImonsen
> 
> 
> 
> David Simonsen
> Executive manager
> Phone: +45 31216152
> 
> H. C. Andersens Boulevard 2
> DK-1553 København V
> 
>> On 2011-03-11, at 10:24 AM, Mark Lizar wrote:
>> 
>>> 
>>> Hello All,
>>> 
>>> Last October at the Kantara Face 2 Face I presented on the efforts of P3 and our move towards developing a privacy framework.  At the time of the presentation we discussed liaising with different work groups inside Kantara.
>>> 
>>> Since this time I have been thinking about what kind of liaison would be useful and productive.  As I am currently working on summary of the Consent and Notice Privacy principles for the PF-SG  (next week) and considering the great thread that has revolved around discussing terms, I thought I would maybe combine my deliverable with a bit of information gathering.
>>> 
>>> John, is it possible to get more information (references) on the use of Notice and Consent in SAML and SSO?  (If there is any in reference to the data subject or Principal?)
>>> 
>>> Also, could I ask someone (like Ben Wilson) to provide a summary of Consent and Notice in IAF?  e.g. References to the differences in notice or consent at varying levels of Insurance?
>>> 
>>> I would be grateful for this type of help and I would like to include this in the analysis I will be working on next week. (if possible)
>>> 
>>> Best Regards,
>>> 
>>> Mark Lizar
>>> P3 Secretary
> 
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-p3/attachments/20110311/c44ebafb/attachment.bin 


More information about the WG-P3 mailing list