Sam Hartman <[EMAIL PROTECTED]> writes: >>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes: > > Eric> Sam Hartman <[EMAIL PROTECTED]> writes: > >>>>>>> "Pete" == Pete Rowley <[EMAIL PROTECTED]> writes: > >> > Pete> It is a requirement if you require to support more than > Pete> authN. Access to a site might require an "I am over 21" > Pete> token, authZ without direct authN - DIX supports that, and I > Pete> believe it is important to do so. > >> I think the over-21 example is particularly bad because I > >> cannot imagine a site (at least in the US) not taking > >> responsibility for that check themselves based on demographic > >> data they request. It seems like way too much of a risk to > >> outsource this to an identity provider especially if you allow > >> identities from a number of different identity providers. > > Eric> I'm surprised to see you make this claim, since outsourced > Eric> adult verification services for porn sites are extremely > Eric> common. > > My point is that I expect the porn site to have a contract with some > verification service they trust and not to want to handle that data > transport through the identity exchange.
I'm not sure I see the distinction here. As I mentioned at the DIX BOF in Dallas, there are two kinds of claim that one could imagine an identity provider making: 1. Claims for which they are authoritative (like when rtfm.com's name server asserts that www.rtfm.com has a certain IP address) 2. Claims for which it's not authoritative but which have some independent truth value (e.g., this person is over 21, has the following SSN, etc.) Any system which allows for the second kind of claim must by necessity involve the relying party having some trust in the provider making the assertion (as opposed to the first in which you simply need to verify who they are). No? In what way couldn't that apply to an "identity exchange"? I'm also not sure that I understand your point about a "contract". After all, we routinely trust physical (drivers licenses) and electronic (SSL certs) credentials from organizations with which we have no prior relationship. The reason for there to be a contract betwen the porn site and the AVS isn't really so that the porn site can trust the AVS but rather so that money can flow. [1] In the absence of that money flow (or the presence of a direct money flow like in the case where you show ID to buy alcohol) then it's not clear to me that the relying party needs a contract with the AVS. -Ekr [1] Incidentally, the way the money flows here is generally from the AVS to the porn site. Effectively, the AVS is charging you for accessing the site. _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
