[Openid-specs-ab] Purpose statement for UserInfo and other claims usage

[Nat Sakimura]

One concern that I did not get raised during the UserInfo session at the IIW
XII was that
we need the "specific purpose of use" statement at the time of consent.
For example, Japanese METI guideline states clearly that
a vague statement like "for the marketing purpose" is not sufficient.
It even goes on to state that a link in the page is not enough.
At least, the short description of the purpose of use and the name of the
data receiver MUST be shown on the page of consent, unless the
data release was specifically allowed by the law.

So, we may want a hook to do this even for the minimum UserInfo set
in the request i.e., hook to send the link to the ToS and jurisdiction
at the very least: In EU directive, IdP is unlikely to be allowed to
send the data to an entity in a country with inappropriate data protection.
I would prefer to have short description text of the purpose of use as well
so that I can display on the consent screen.
I understand that the US law does not have such constraint, but not having
such a hook makes UserInfo endpoint useless in many jurisdictions.

I know that it blows up the request. This actually was one of the main
reason why I wanted Artifact Binding.
Artifact Binding request file is an (optionally) signed file that includes:

- Short description of the purpose of the use of the data
- Name and identifier of the data client.
- Set of requested claims / attributes.
- Link to the ToS or actual ToS itself.
- Other extension variables.

Contract Exchange actually is a schema that defines these in more detail.

-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110504/bff481fb/attachment.html>