OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] SAML deployments that use consent step?


Bob,

> which I think are consistent technically, but differ in emphasis.

I think that's fair.

>  I'm contending that those non-necessary SPs and optional info for  
> necessary SPs are important to support, hence motivate consent- 
> obtaining infra at the IdP, while you (for some value of you) are,  
> as far as I can tell, implying (by "if at all") that those cases are  
> not important to support, that in fact effort to support them at  
> IdPs might do more harm than good.

There is no contention that these are not important to support. The  
contention is that it is not lawful to support these cases using the  
particular mechanism of consent in the circumstances we're discussing.

> It seems to me that if an IdP follows your advice and does not  
> deploy any consent mechanism, that those non-necessary cases are  
> simply not supported, correct?  Meaning that those SPs will,  
> typically, acquire this data (or these users) in some other fashion,  
> e.g. avoiding federation, it seems to me.

Yes, that's the conclusion. It is sometimes frustrating, of course,  
not to make fuller use of federation but that's life. In these  
circumstances our general recommendation to IdPs is to release non- 
PII, such as as an opaque identifier, which goes some way to  
addressing these cases. If the RP needs more, it can obtain it  
directly from the user and link this data against the identifier (if  
provided).

In the UK federation, a significant part of our constituency (and much  
larger than our HE users) is not even legally able to provide consent  
(in the UK, a person can only provide consent over 12 years).  
Protecting vulnerable users (4-11 years, users with learning  
difficulties, etc) is a critical concern, of course, and in these  
circumstances parents or their equivalents are the only parties who  
are authorised to provide consent.

There is certainly a place for consent, but it needs to be used  
judiciously. It is certainly not (in the EU context, at least) the  
silver bullet or "best practice" that proponents of "user centric"  
approaches sometimes suggest. I have to spend a lot of time explaining  
this to our customers, which partly explains my irritation at those  
who misrepresent this complex problem to progress their own agenda.

> My comment about disagreement was referring to the Swiss federation...

As I understand it, the Swiss data protection law follows the  
principles of the EU directive, but is not an implementation of it  
because Switzerland is not an EU member state. It is possible that  
this is an instance where Swiss and EU law differs materially.

> In the InCommon federation we are, not surprisingly, talking  
> seriously about very similar representations, though so far the  
> notion of "necessity" hasn't been central.

What's the representation that you've got in mind? (It might be useful  
to standardise a common representation, particularly in the context of  
interfederation.)

josh.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]