[Openid-specs-heart] The Number and Ownership of Authorization Servers.

Glen Marshall [SRS] gfm at securityrs.com
Tue Dec 15 22:15:55 UTC 2015 

Many people have already set-up things to establish privacy, in various 
ways and some more effective than others.  Multiple AS might be one of them.

For example, if I were enrolled in an HIV-positive clinical study, I 
might want the study's AS to contain my authorization just for access to 
the relevant RSs and not be noted in my clinical record. The very fact 
of being enrolled in the study is too much of a disclosure.

Similarly, a person who has established a social networking account on 
an adult-interest web site might want to keep that out of sight from 
others.  The mere existence of such privacy preferences in a common 
authorization resource might raise uncomfortable questions if they were 
revealed.  One solution is to have a distinct AS for the adult-interest 
site.  That can be generalized.

For privacy reasons, I give every one of my on-line vendor contacts a 
unique e-mail address to contact me, e.g., /vendor.com/@glenmarshall.com 
Even though all the e-mail comes to a common account for me to read, it 
makes it impossible for unrelated vendors to assemble and share a 
dossier keyed by e-mail.  Each vendor has my privacy and contact 
preferences relative to just cou common business.  With a large number 
of e-mail addresses I also avoid common identification services, e.g., 
OAuth, except where it suits my purposes.  A side-effect is that I do 
not need complex trust relationships among vendors.  This is not much of 
a schlep for me, once it was set-up.

... and so on.

*Glen F. Marshall*
Consultant
Security Risk Solutions, Inc.
698 Fishermans Bend
Mount Pleasant, SC 29464
Tel: (610) 644-2452
Mobile: (610) 613-3084
gfm at securityrs.com
www.SecurityRiskSolutions.com

On 12/15/15 15:10, Debbie Bucci wrote:
> Yes I believe ...some poor schlep is going to be on the hook for 
> keeping his AS replicated with the one I designated because of  “Policy”
>
> AND (ideally)
>
> The trusted  application that you are familiar designate (Bill's 
> source of truth) would/should trigger/drive the updates.
>
> Perhaps a schlep provide UI to verify update and changes (and trigger 
> receipts of those update)  -  would be considered a safeguard.
>
> Given your experience with PHRs - you know best - there maybe one 
> source of truth for Healthcare data today but with IOT and other yet 
> to be determined innovations -  I still believe (under the covers) it 
> will be distributed in nature.
>
> Understanding that going in may impact some of our decisions.
>
>
>
>
>
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20151215/e4a88aae/attachment.html>

More information about the Openid-specs-heart mailing list