<div dir="ltr"><div>Glen, "Strongly prefer" is hard to reconcile with NIST privacy engineering and privacy risk management guidance. Building HEART according to these principles, requires us to make pairwise pseudonymity the baseline for the API unless we can identify a specific business goal that is incompatible with pairwise pseudonymity at the base RS-AS connection.<br><br></div>Adrian<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 6, 2015 at 2:12 PM, Glen Marshall [SRS] <span dir="ltr"><<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I would strongly prefer that the function of pseudonym-to-subject
re-identification be distinct from the AS. Exactly how that occurs,
and who is responsible for what functions, is policy-driven and
outside of the use cases but is certainly an interesting topic for
implementation guidance. We should not constrain policy, but should
expose practical implementation factors to inform it.<span class=""><br>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a href="tel:%28610%29%20644-2452" value="+16106442452" target="_blank">(610) 644-2452</a><br>
Mobile: <a href="tel:%28610%29%20613-3084" value="+16106133084" target="_blank">(610) 613-3084</a><br>
<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a href="http://www.SecurityRiskSolutions.com" target="_blank">www.SecurityRiskSolutions.com</a></p>
</div>
</span><span class=""><div>On 10/6/15 11:18, Adrian Gropper wrote:<br>
</div>
<blockquote type="cite">When the resource does not contain Subject identity
information, the Authorization Server is responsible for
associating the pseudonyms with an identity.</blockquote>
<br>
</span></div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div>