> So, Josh, I'd like to confirm that one consequence of what you're > saying > is that it would be entirely fine for an implementation to use NAIs > including the actual username and for the IDP to only accept the NAI if > the email address was correct?
I believe that is correct. When I was discussing this with our regulatory person, I framed the question using a pseudonymous identifier by way of example (because that's how we normally think about these problems) but he strongly implied that the principle is equivalently applicable to other less privacy-preserving identifiers. The key point is that the IdP isn't releasing information -- which is the legislation's basic test -- only an opinion. However, I'll ask him to explicitly ack your example tomorrow. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
