On 15 Feb 2012, at 06:06, [email protected] wrote: > > Well, even more, the idp should not know at all which rp I talk to > > in the first place. > > It is a strong privacy reqirement. Idoubt solutions in ABFAB can provide this > feature.
Yes, ABFAB cannot do this natively. Though there are always ways around this. SAML cannot do this natively either, but the Cabinet Office (UK government) is in the middle of setting up a national federated infrastructure with exactly this properly, which it achieves by having a gateway in the middle which mediates all traffic. Note that this privacy requirement may well be asymmetric - there may be a difference between the IdP not being able to know about which RP the user is using, and the RP not knowing which IdP the user came from... R. -- Dr Rhys Smith Identity, Access, and Middleware Specialist Cardiff University & Janet - the UK's education and research network email: [email protected] / [email protected] GPG: 0xDE2F024C
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
