On 5-Jun-06, at 2:00 PM, Sam Hartman wrote:
"Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
"Pete" == Pete Rowley <[EMAIL PROTECTED]> writes:
Pete> It is a requirement if you require to support more than
Pete> authN. Access to a site might require an "I am over 21"
Pete> token, authZ without direct authN - DIX supports that, and I
Pete> believe it is important to do so.
I think the over-21 example is particularly bad because I
cannot imagine a site (at least in the US) not taking
responsibility for that check themselves based on demographic
data they request. It seems like way too much of a risk to
outsource this to an identity provider especially if you allow
identities from a number of different identity providers.
Eric> I'm surprised to see you make this claim, since outsourced
Eric> adult verification services for porn sites are extremely
Eric> common.
My point is that I expect the porn site to have a contract with some
verification service they trust
They would in both cases. They 'trust' the authority, and they need
a mechanism to verify the claim.
and not to want to handle that data
transport through the identity exchange.
Why not? It costs less to implement. The Service Provider just has
to state up front what it's policy is wrt to the set of claims it
requires
to permit access to the requested content. The claims are some
kind of signed blob (eg SAML assertion)... why would they care if
it came in with the user's 'login' to the site?
John
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
