[Openid-specs-ab] Oversight in data usage policy expression?
sakimura at gmail.com
Sat Aug 2 21:48:49 UTC 2014
This morning, I just noticed this:
Currently, the policy_uri and client registration is one to one mapping.
In the earlier drafts, client could specify policy_uri per request to
express the data usage purpose etc. for the particular request. When, we
introduced the notion of dynamic registration, we moved policy_uri to the
registration but by way of doing it, we may have lost the functionality to
express the per request specific purpose. A client may request subset of
what it needs in general from time to time to obtain the minimum but fresh
data. This complies to the collection minimization and data accuracy
What would be the best practice, given the situation, to provide the per
request specific purpose?
Introduce a new claim? OR reuse policy_uri? What would be the requirement?
I suppose the purpose specified in the per request policy_uri MUST be
smaller than that of the policy_uri specified at the client registration
>From an OP point of view, it is a bit hard to evaluate each policy_uri. So,
what I envisage is that the stakeholders get together to form a trust
framework and define set of Policy URIs and use them so that the OP only
needs to know about these pre-defined Policy URIs.
In this case, the client picks an over-arching policy_uri and registers at
the client registration time, then creates a request object with more
specific policy_uri and registers it to the trust framework to obtain the
request_uri and use it.
What do you think?
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab