On 20 Feb 2012, at 18:23, Klaas Wierenga wrote:
>> Yes, ABFAB cannot do this natively.
>>
>> Though there are always ways around this. SAML cannot do this natively
>> either, but the Cabinet Office (UK government) is in the middle of setting
>> up a national federated infrastructure with exactly this properly, which it
>> achieves by having a gateway in the middle which mediates all traffic.
>
> Right, which of course puts another entity in the middle that knows more
> about your transactions then you might like….. ;-) What you really want is to
> be able to is have the IdP issue claims that are not specific for 1 relying
> party and that you can wield with whatever RP you like, but that probably
> requires a client side implementation a la InfoCard.
Or giving the user an X509 cert ;-).
>>
>> Note that this privacy requirement may well be asymmetric - there may be a
>> difference between the IdP not being able to know about which RP the user is
>> using, and the RP not knowing which IdP the user came from...
>
> yes, absolutely. And to echo what Hannes was saying, I am not at all
> suggesting that their are currently protocols out there that satisfy all
> privacy requirements. In fact sometimes a balance between privacy and
> usability needs to be found, for example it may from a privacy point of view
> be nice to have aq different pseudonymous identifier every time a use a
> service, from a usability point of view however I may like the service to
> maintain a history of my previous transactions.
Agree totally, but would go further and say it's almost *always* a delicate
balancing act between privacy and usability, in the same way that it's *always*
a balancing act between security and usability. In the whole history of
computer science, I don't remembering encountering anything where I think
anyone has gotten the balance correct - not least, of course, because that
balance is probably at a different point on the scale for different users of
the technology.
R.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist
Cardiff University & Janet - the UK's education and research network
email: [email protected] / [email protected]
GPG: 0xDE2F024C
_______________________________________________
ietf-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-privacy
