[Openid-specs-ab] [openid-specs-rande] You should read Torsten's proposal

Nick Roy nroy at internet2.edu
Mon May 13 16:30:53 UTC 2019



On 10 May 2019, at 23:21, Torsten Lodderstedt wrote:

> Hi Nick,
>
>> Am 10.05.2019 um 23:02 schrieb Nick Roy <nroy at internet2.edu>:
>>
>> This is excellent.
>>
> Thanks :-)
>> My only comment is in relation to section 10, "Privacy Consideration":
>>
>> The document notes: "OP and RP MUST establish a legal basis before exchanging any personally identifiable information."
>>
>> Does membership in a multilateral federation, where both parties have signed a participation agreement with the federation (but not each other) constitute a legal basis for the exchange? What about a situation where an OP is in one federation, and has signed its participation agreement, the RP is in another federation, and has signed its participation agreement, and the operators of both federations have signed an interfederation agreement with a party such as eduGAIN?
>>
> Ultimately, this question needs to be answered by a lawyer.
>
> I think in the EU the user would need to agree the the data transfer as well. That could happen via a user consent embedded in the flow or as part of the terms of service with the OP, the user accepts when registering.

Thanks, I agree. It may also something that is a specific requirement of the assurance profile required by the RP.

Nick

>
> best regards,
> Torsten.
>> Thank you,
>>
>> Nick
>>
>> On 8 May 2019, at 8:34, Torsten Lodderstedt wrote:
>>
>> Sounds good ;-)
>>
>> Look forward to getting you feedback.
>>
>> @Roland: thanks for your announcement.
>>
>>> Am 08.05.2019 um 16:11 schrieb Nick Roy <nroy at internet2.edu>:
>>>
>>> Thanks! I talked with Torsten about this at IIW last fall, glad to see it moving along. I will review.
>>>
>>> Best,
>>>
>>> Nick
>>>
>>> On 8 May 2019, at 1:36, Roland Hedberg wrote:
>>>
>>> Hi!
>>>
>>> For those who have missed the announcement.
>>>
>>> From the abstract:
>>>
>>> "This specification defines an extension of OpenID Connect for providing Relying Parties with verified person data.
>>> This extension is intended to be used to verify the identity of a person in compliance with a certain law."
>>>
>>> https://openid.net/specs/openid-connect-4-identity-assurance-02.html
>>>
>>> — Roland
>>> Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963)
>>>
>>> -- 
>>> openid-specs-rande mailing list
>>> openid-specs-rande at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>>>
>>> -- 
>>> openid-specs-rande mailing list
>>> openid-specs-rande at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>>
>> -- 
>> openid-specs-rande mailing list
>> openid-specs-rande at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-rande


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190513/6d55ec82/attachment.asc>


More information about the Openid-specs-ab mailing list