RE: [security-services] Groups - draft-sstc-nameid-05.pdf uploade d

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 10/29/2003, 11:31 AM:

 > Subtle, but true. Question...does ID-FF in your mind address that
 > requirement? I'm not sure I'd claim that it has actually specified
 > such a means.

No.  ID-FF assumes that the IdP can perform this operation when it has 
control of the browser during a re-direct (just as it can request 
authentication credentials).   There is a place where the SP can 
postiviely indicate that it has obtained consent from the user, but, in 
my opinion, this is less than valuable from a technological point of view.

There was no real reason to require an on-the-wire protocol for this 
because the IdP always gets control of the user interface during the 
authentication/federation process and can implement whatever is 
appropriate for that user interface and their policies.

Conor