> It would be entirely possible to construct a system that didn't have all of > these properties yet satisfied the EU's DP requirements, but I suggest we > aim high as a starting point and pull back if necessary. > > Is there anything that anyone would like to add to this list?
How high? The best feature Cardspace had, but which it implemented in laughable fashion, was hiding the user's interactions (meaning what RPs the user visited) from the IdP. Aiming less high, I think you should at least articulate requirements for pairwise identification, meaning the system shouldn't unavoidably add any cross-RP correlatable data above and beyond what the network layer already does. -- Scott _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
