>>>>> "Pete" == Pete Rowley <[EMAIL PROTECTED]> writes:
Pete> It is a requirement if you require to support more than
Pete> authN. Access to a site might require an "I am over 21"
Pete> token, authZ without direct authN - DIX supports that, and I
Pete> believe it is important to do so.
I think the over-21 example is particularly bad because I cannot
imagine a site (at least in the US) not taking responsibility for that
check themselves based on demographic data they request. It seems
like way too much of a risk to outsource this to an identity provider
especially if you allow identities from a number of different identity
providers.
However I do agree that non-identifier claims are something we want to
support in the fullness of time. I just think that we can learn a lot
by getting something that supports a single identifier claim in the
first version. I don't even mind if we standardize more than that, I
just question whether it needs to be mandatory to implement.
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
