[Openid-specs-ab] Privacy Considerations
Nat Sakimura
sakimura at gmail.com
Sat Jul 23 12:23:44 UTC 2011
Yes. In the full spec, asking at the request time is an obvious solution.
But the Lite does not have a way to do it apart from the out of band
return_to registration time as it does not have claims syntax.
=nat via iPhone
On 2011/07/23, at 5:14, John Bradley <ve7jtb at ve7jtb.com> wrote:
I don't know that it is practical to register purpose of use at
registration.
I was thinking that that would eventually become part of the claim request
meta-data, along with value and required trust framework etc.
It makes the request larger but is more flexible.
The other place to list that would be in some third party certified
meta-data.
I could see checking with a meta-data repository if a RP is certified for EU
safe harbour, and what attributes they are approved to collect.
That is sort of what Germany is doing now with there EID.
John
On 2011-07-23, at 4:02 AM, Nat Sakimura wrote:
Hi.
I have started to contemplate on the privacy considerations.
Several questions arises:
- When is the purpose of the use of the attribute determined?
-> either the claim request, or the redirect_url registration time.
- Is it not a good practice to return the terms of use of the data with it?
- Is it not releasing too much information as a default?
- Should not the access log to the UserInfo made accessible to the user?
Best,
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110723/19470851/attachment.html>
More information about the Openid-specs-ab
mailing list