>>>>> "Diego" == Diego R Lopez <[log in to unmask]> writes:
Diego> On 27 Feb 2010, at 00:55, Josh Howlett wrote:
>>
> We could do a lot of interesting things; for example, the supplicant
>> could maintain a local consent policy database, or it could sync
>> these with the IdP's own consent management database and delegate
>> the consent decision to the IdP.
Diego> When it comes to this sync, a mechanism similar to cookies
Diego> comes to my mind, though not necessarily done through HTTP
Diego> cookies... The supplicant could use some moments
Diego> (installation, updates, periodically) to make the user review
Diego> and accept consent settings for the IdP, connect to it and
Diego> get a token from the IdP (something like a cookie) that
Diego> define the settings. Whenever a request from consent comes
Diego> from the IdP, a try using this token could avoid excessive
Diego> (and therefore less secure) usage of the direct user
Diego> intervention...
This is definitely a promising idea. I can think of a number of ways to
implement this and it definitely is something we can do. I think there
are even mechanisms for communicating per-service consent information to
the IDP.
What gets tricky is to have interaction round trips as part of the
authentication conversation. However I want to emphasize that's tricky
not impossible.
--Sam
|