Tom, > It depends on the trust relationship the SP has with the various AAs > in question, but in general, this is a hard problem. How does the SP > prove to the AA that the user is present and actively involved in the > transaction? The AA would have to have a fairly liberal attribute > release policy to hand out user attributes to the SP without some form > of user consent.
Right, this is an important point. I don't think consent is a showstopper in the sense that one can reasonably choose to not care about consent in many scenarios. However, I agree that it would be very desirable to have a strong story for consent. ABFAB *may* provide a better approach for consent than that which can be achieved through the conventional HTTP-based bindings, because the architecture posits an agent (the EAP peer) on the subject's host which could communicate directly with any Issuer known by the subject (e.g. the AA uses some kind of RPC to request user interaction through this agent). We have previously considered the agent as primarily a means of managing user interaction for identity selection, but it doesn't seem unreasonable to extend this to consent management. I think we have previously concluded that it would be reasonable to apply this kind of approach, but there isn't a concrete proposal on the table at the moment. Suggestions welcome! Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
