Sam Hartman <[EMAIL PROTECTED]> writes:
>>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
>
> Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
> >>>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
> >>
> Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
> >> >>>>>>> "Pete" == Pete Rowley <[EMAIL PROTECTED]> writes:
> >> >>
> Pete> It is a requirement if you require to support more than
> Pete> authN. Access to a site might require an "I am over 21"
> Pete> token, authZ without direct authN - DIX supports that, and I
> Pete> believe it is important to do so.
> >> >> I think the over-21 example is particularly bad because I >>
> >> cannot imagine a site (at least in the US) not taking >>
> >> responsibility for that check themselves based on demographic
> >> >> data they request. It seems like way too much of a risk to
> >> >> outsource this to an identity provider especially if you
> >> allow >> identities from a number of different identity
> >> providers.
> >>
> Eric> I'm surprised to see you make this claim, since outsourced
> Eric> adult verification services for porn sites are extremely
> Eric> common.
> >> My point is that I expect the porn site to have a contract
> >> with some verification service they trust and not to want to
> >> handle that data transport through the identity exchange.
>
> Eric> I'm not sure I see the distinction here.
>
> The distinction is layer 9; I don't think there is a technical distincition.
>
> It is my impression mostly from financial sector businesses that you
> are going to see people verifying this information themselves (through
> a separate exchange with a business partner) rather than trusting the
> same assertion signed as part of the identity exchange.
I'm still not sure I get what you're saying. Let me see if I can
try again looking at the flows of data.
OPTION 1: What I take DIX to be doing
Client IdP Relying Party
------------------------- Service Please ------------>
<------------------------- Prove you're over 21--------
<-------Auth exchange ------>
<------- Over 21 credential--
<----------------- Auth exchange plus over 21 cred ---->
OPTION 2: What I think you're describing
Client IdP Relying Party Business partner
---------- Service Please ------------>
<--------- Prove your identity --------
<-- Auth exch --
<---Id cred ----
<------ Auth exchange plus Id cred ---->
--- User's ID -->
<-- Over 21 -----
Do I have this correct?
-Ekr
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
