OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SAML deployments that use consent step?

> The more bizarre use case to me was always why an IdP would care about 
> consent (nor did I agree with defining the AllowCreate flag), but I 
> always had a different view of what Liberty calls "federation".

My institution has a privacy policy that says that the institution only 
provides personal information to third parties if (a) there is business or 
academic need, or (b) if the user agrees.  I'm pretty sure your 
institution does too.  If we're going to allow SPs to be used that aren't 
clearly part of a business need (or where we don't want to go to the 
trouble of figuring out whether they are), then we need to get user 
agreement before personal info (and that might include even an opaque 
persistent identifier) can be sent.  So in my view the ability to get 
consent enables federation with many more sites, at lower IdP admin cost.

Since I'm pretty sure you agree with this, Scott, you must be talking 
about some other aspect of IdPs and consent.

As far as:

  we believe that consent is only infrequently a practical or efficient
  instrument for protecting user privacy. Indeed, it is often too easy for
  IdPs to misuse consent to the detriment of their users' privacy.

I have heard these arguments but don't understand them, nor, apparently, 
do other European HE federations agree.  Assuming that IdPs are inherently 
hostile to user privacy seems an odd starting point.  But we digress, I 

  - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]