>>>>> "Josh" == Josh Howlett <[email protected]> writes:
>> So, Josh, I'd like to confirm that one consequence of what you're
>> saying is that it would be entirely fine for an implementation to
>> use NAIs including the actual username and for the IDP to only
>> accept the NAI if the email address was correct?
Josh> I believe that is correct.
Josh> When I was discussing this with our regulatory person, I
Josh> framed the question using a pseudonymous identifier by way of
Josh> example (because that's how we normally think about these
Josh> problems) but he strongly implied that the principle is
Josh> equivalently applicable to other less privacy-preserving
Josh> identifiers. The key point is that the IdP isn't releasing
Josh> information -- which is the legislation's basic test -- only
Josh> an opinion. However, I'll ask him to explicitly ack your
Josh> example tomorrow.
Does it matter whether the user has control over their machine?
I.E. is it OK for an employer to force their employees to install
moonshot clients that break their privacy?
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
