[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML deployments that use consent step?
Paul Madsen wrote on 2009-11-12: > OAuth actually mandates consent, MUST not SHOULD I can't see how talking about consent makes sense as a technical matter, and it certainly doesn't provide a legal context for interpreting the term. But that aside, just because it mandates "consent", I don't think that changes the broader technical character of what's happening. It's not merely handling "consent". > Could this, given the interpretation of its relevance put forward by Josh, > preclude wider deployment? Dunno. Here in the privacy hinterland, I tend to see the rules change to match whatever the latest hyped solution happens to support. > The spec is crystal clear but I'm sure it could be 'interpreted'...... Well, SAML throws around statements like "the IdP MUST authenticate the user", but nobody pretends that that's technically normative. It's all in the policy. -- Scott