[Openid-specs-ab] assurance and purpose of use statement.
Nick Roy
nroy at internet2.edu
Wed Mar 20 21:41:41 UTC 2019
Isn’t the purpose of use statement what the OP is required to display to a user before they consent to release the data?
Nick
On 20 Mar 2019, at 15:37, Tom Jones via Openid-specs-ab wrote:
> I was thinking about the assurance doc and privacy considerations. I found
> the following in the core oidc doc and several others. Its meaning is not
> clear to me*, purpose of use* seems not to be defined any where and not a
> current term of art. Does anyone have any back story on this section? If
> not i might try to word it in terms of EU and CA legislation.
>
> 17.1. Personally Identifiable Information
>
> The UserInfo Response typically contains Personally Identifiable
> Information (PII). As such, End-User consent for the release of the
> information for the specified purpose should be obtained at or prior to the
> authorization time in accordance with relevant regulations. The purpose of
> use is typically registered in association with the redirect_uris.
>
> Only necessary UserInfo data should be stored at the Client and the Client
> SHOULD associate the received data with the purpose of use statement.
> Peace ..tom
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190320/15de5e4d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190320/15de5e4d/attachment.asc>
More information about the Openid-specs-ab
mailing list