>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
>>>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
>>
Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
>> >>>>>>> "Pete" == Pete Rowley <[EMAIL PROTECTED]> writes:
>> >>
Pete> It is a requirement if you require to support more than
Pete> authN. Access to a site might require an "I am over 21"
Pete> token, authZ without direct authN - DIX supports that, and I
Pete> believe it is important to do so.
>> >> I think the over-21 example is particularly bad because I >>
>> cannot imagine a site (at least in the US) not taking >>
>> responsibility for that check themselves based on demographic
>> >> data they request. It seems like way too much of a risk to
>> >> outsource this to an identity provider especially if you
>> allow >> identities from a number of different identity
>> providers.
>>
Eric> I'm surprised to see you make this claim, since outsourced
Eric> adult verification services for porn sites are extremely
Eric> common.
>> My point is that I expect the porn site to have a contract
>> with some verification service they trust and not to want to
>> handle that data transport through the identity exchange.
Eric> I'm not sure I see the distinction here.
The distinction is layer 9; I don't think there is a technical distincition.
It is my impression mostly from financial sector businesses that you
are going to see people verifying this information themselves (through
a separate exchange with a business partner) rather than trusting the
same assertion signed as part of the identity exchange.
--Sam
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
