Dennison, Karen J wrote:
> If not being able to distinguish this prevents lots of IdPs
> from signing up to any form of user accountability, then we would
> still find ourselves in the position of independent negotiation with
> IdPs and lots of very frustrated end-users.
I don't think we are going to find that we have lots of IdPs who can
sign up to not reissuing ePTI but can't sign up to not reissuing ePPN.
This is a fairly new area, though, so I think we can expect that it will
take some sites a while to get their head round the question and do the
due diligence required to convince themselves this is the case (and I
thnk kudos is due to those sites that *do* the due diligence rather than
just saying "yes" because it's obviously what we want to hear). Some
people may need to do some kind of internal formal audit to get there,
and that will take a while.
There may well be sites who can't sign up to the section 6 guarantees
because their identity management procedures are genuinely not mature
enough yet. But I would say you shouldn't be accepting assertions from
such sites for your purposes, because the privacy implications are so
horrid.
The other thing to watch out for is that the percentages we've been
bandying about have been percentages of *all IdPs*. By no means all
IdPs are institutional ones; many at present are testing or research
entities which I would expect might well never feel the need to assert
user accountability. However, that wouldn't be a problem in this
context. Another way of looking at this is that the current 35%
actually represents a higher percentage of *institutional* IdPs.
-- Ian
|