[WG-UMA] For email and Oct 9 discussion/closure: trust elevation profile (issue 92)
eve at xmlgrrl.com
Tue Oct 7 09:54:31 CDT 2014
The issue is here:
The profile is proposed here:
On 1 Oct 2014, at 5:38 PM, Eve Maler <eve at xmlgrrl.com> wrote:
> (Attendance was very attenuated at this meeting. I'm getting a bit wary of the "APAC-friendly scheme" as a result, since we have so much to do in the coming weeks. Thoughts?)
> 92: trust elevation profile
> This can come up for financial data, and also for legal accountability over access to health data in break-the-glass situations. E.g., Alice might want to have a policy that says Bob has to have LOA3 when accessing her data, so she can find him and sue him if something goes wrong. Mike's profile enables revocation of the AAT, not just the relevant permission in the RPT, if the AAT were issued on the strength of a too-weak requesting party authentication. We looked at the written profile and thought that it might need to be abstracted away a bit from OpenID Connect, but otherwise seems like it's probably a good addition. We need to discuss this with a larger group.
Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-UMA