OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] SAML deployments that use consent step?


I said:

  If we're going to allow SPs to be used that aren't clearly part
  of a business need (or where we don't want to go to the trouble of
  figuring out whether they are), then we need to get user agreement before
  personal info (and that might include even an opaque persistent
  identifier) can be sent.

You (quoting the Terena report) said:

> "Consent should only be used, if at all, for services that are not 
> necessary, or to provide optional information to services that are 
> necessary."

which I think are consistent technically, but differ in emphasis.  I'm 
contending that those non-necessary SPs and optional info for necessary 
SPs are important to support, hence motivate consent-obtaining infra at 
the IdP, while you (for some value of you) are, as far as I can tell, 
implying (by "if at all") that those cases are not important to support, 
that in fact effort to support them at IdPs might do more harm than good.

(Now that I read Conor's note, let me clarify that by "consent" I'm not 
referring to consent labels in SAML messages, but services at the IdP that 
obtain user consent before releasing info.  I hope you're talking about 
the latter notion too, not the former.)

It seems to me that if an IdP follows your advice and does not deploy any 
consent mechanism, that those non-necessary cases are simply not 
supported, correct?  Meaning that those SPs will, typically, acquire this 
data (or these users) in some other fashion, e.g. avoiding federation, it 
seems to me.

My comment about disagreement was referring to the Swiss federation, which 
apparently thought that IdP-managed consent was important enough to 
develop software to do so and to deploy it (I think) universally in their 
federation.  I don't know whether their deployment makes the distinction 
between necessary/optional that we both recognize.

> There's some on-going work in the European HE federations community 
> looking at expressing RPs' attribute requirements in SAML metadata, in 
> concert with assertions from TTPs attesting to the 'necessity' of these 
> attributes, that a user could subsequently consent to. However, it's not 
> clear yet if this could be made to work practically.

In the InCommon federation we are, not surprisingly, talking seriously 
about very similar representations, though so far the notion of 
"necessity" hasn't been central.

  - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]