[Openid-specs-ab] Connect Standard annotated word version

Nat Sakimura sakimura at gmail.com
Mon Jun 3 16:15:48 UTC 2013


Jun 4, 2013 0:34、Mike Jones <Michael.Jones at microsoft.com> wrote:

> As for changing the prompt:consent MUST to a SHOULD, I don’t understand the “obvious from other actions” comment,

It is quite well known concept.
For example, when you have ordered something to be delivered to your
home, you do not need an explicit consent for it since it is obvious.

Explicit consent really only one of the possible conditions for
processing even in EU Data Protection directive.

In Japan, we are even talking of banning unnecessary explicit consent
right now in a government committee. A protocol should not step on
these legal issues. It MAY say SHOULD but not MUST.

As to Pavlov effect, we are not talking about one RP here. It is
potentially thousands of them. An OP should have some room to deal
with it in the sense of consumer protection. Again, a protocol should
not be prescriptive here. OP should be able not to show the consent
dialogue and return an assertion without attributes other than that of
authentication event.


More information about the Openid-specs-ab mailing list