security-services message

Subject: Re: [security-services] SAML deployments that use consent step?

From: Josh Howlett <josh.howlett@gmail.com>
To: "Scott Cantor" <cantor.2@osu.edu>
Date: Mon, 9 Nov 2009 21:59:34 +0000

On 9 Nov 2009, at 21:41, Scott Cantor wrote:
> Josh Howlett wrote on 2009-11-09:
>> While we're on the subject, I've always been a bit puzzled about the
>> use-cases for the consent identifiers; in particular, why an RP might
>> care whether consent has been given or not.
>
> They're for auditing, essentially. You get a signed document  
> indicating
> something about consent so you can point the finger later.

Ok. In the EU consent is irrelevant as far as an RP is concerned, as  
the IdP is liable by default when TSHTF. I can't think of a scenario  
where an RP would need to retrospectively demonstrate consent.

> The more bizarre use case to me was always why an IdP would care about
> consent

You'll need to expand on that for me. When does an IdP receive a  
consent identifier?

josh.

Follow-Ups:
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>
- RE: [security-services] SAML deployments that use consent step?
  - From: "Scott Cantor" <cantor.2@osu.edu>
- RE: [security-services] SAML deployments that use consent step?
  - From: "Cahill, Conor P" <conor.p.cahill@intel.com>

References:
- SAML deployments that use consent step?
  - From: Paul Madsen <paulmadsen@rogers.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Paul Madsen <paulmadsen@rogers.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>
- RE: [security-services] SAML deployments that use consent step?
  - From: "Scott Cantor" <cantor.2@osu.edu>