security-services message

Subject: Re: [security-services] SAML deployments that use consent step?

From: Josh Howlett <josh.howlett@gmail.com>
To: oasis sstc <security-services@lists.oasis-open.org>
Date: Thu, 12 Nov 2009 23:53:00 +0000


On 9 Nov 2009, at 21:59, Josh Howlett wrote:

> On 9 Nov 2009, at 21:41, Scott Cantor wrote:
>> Josh Howlett wrote on 2009-11-09:
>>> While we're on the subject, I've always been a bit puzzled about the
>>> use-cases for the consent identifiers; in particular, why an RP  
>>> might
>>> care whether consent has been given or not.
>>
>> They're for auditing, essentially. You get a signed document  
>> indicating
>> something about consent so you can point the finger later.
>
> Ok. In the EU consent is irrelevant as far as an RP is concerned, as  
> the IdP is liable by default when TSHTF. I can't think of a scenario  
> where an RP would need to retrospectively demonstrate consent.

Interestingly, following further discussions with my DP colleague, it  
seems that in the EU context there is a use-case for the IdP  
retrospectively demonstrating consent that had been obtained by an RP  
from the user.

It's the same finger pointing, but reversed.

best regards, josh.

References:
- SAML deployments that use consent step?
  - From: Paul Madsen <paulmadsen@rogers.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Paul Madsen <paulmadsen@rogers.com>
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>
- RE: [security-services] SAML deployments that use consent step?
  - From: "Scott Cantor" <cantor.2@osu.edu>
- Re: [security-services] SAML deployments that use consent step?
  - From: Josh Howlett <josh.howlett@gmail.com>