RE: [security-services] SAML deployments that use consent step?

[Thomas Hardjono <hardjono@MIT.EDU>]

Paul,

I'm kind of curious about your initial question.

I often get questions about OAUTH and SAML,
and I often respond by saying that OAUTH as a "consent-giving" protocol
(as opposed to an "authentication" protocol).

That is (using the OAUTH spec use-case), a user gives consent to RitzPhoto
to download/print a JPEG file from the user's Flickr account.
I'm thinking that all the steps in OAUTH can be expressed
in SAML (right?)

/thomas/


________________________________________
From: Josh Howlett [josh.howlett@gmail.com]
Sent: Thursday, November 12, 2009 6:51 AM
To: Paul Madsen
Cc: Josh Howlett; RL 'Bob' Morgan; oasis sstc
Subject: Re: [security-services] SAML deployments that use consent step?

Paul,

On 11 Nov 2009, at 22:12, Paul Madsen wrote:
> Thanks Josh, do you have a link for that?

Here's the response from my colleague:

> I've recently re-discovered the UK Information Commissioner's original
> statement that I have been paraphrasing as "consent is hard and should
> be the last resort".
>
> Section 3.1.5 of
> http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_
> specialist_guides/data_protection_act_legal_guidance.pdf says:
>
> "The Commissioner's view is that consent is not particularly easy to
> achieve and data controllers should consider other conditions in
> Schedule 2 (and Schedule 3 if processing sensitive personal data)
> before
> looking at consent. No condition carries greater weight than any
> other.
> All the conditions provide an equally valid basis for processing.
> Merely
> because consent is the first condition to appear in both Schedules 2
> and
> 3, does not mean that data controllers should consider consent first."
>
> I've just updated my privacy course to have the reduced version:
> "consent is not particularly easy to achieve and data controllers
> should
> consider other conditions ... before looking at consent."
>
> And the European Data Protection Supervisor (Peter Hustinx) said very
> much the same thing in a presentation to the ENISA summer school in
> Crete in September (and agreed with my observation that it was
> unfortunate that consent came first: "I didn't draft the
> Directive...").
>
> There are also some explicit statements about not giving people the
> impression they are consenting when they aren't in the Good Practice
> Guide on Privacy Notices (page 8 in particular):
> http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_
> specialist_guides/privacy_notices_cop_final.pdf

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php