I asked a qualified colleague to enumerate the high-level requirements that would allow a federated identity system to /most comprehensively/ address the requirements of the EU data protection regime. Here's what he suggested that the system should ideally provide:
a) release of essential information from the IdP to the RP with notification to user, and b) seeking of user's consent to release of non-essential information from the IdP to the RP, and c) provision of information from the user to the RP It would be entirely possible to construct a system that didn't have all of these properties yet satisfied the EU's DP requirements, but I suggest we aim high as a starting point and pull back if necessary. Is there anything that anyone would like to add to this list? Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
