Subject Re: draft charge, refeds working group on attribute release
From John Bradley <ve7jtb@xxxxxxxxxx>
Date Fri, 1 Jul 2011 17:09:25 -0400

I just spent two days in Boston at the NSTIC privacy conference.

I don't know that there is any technical solution that will make everyone happy.

I do think that we can do better than the current state of commercial SAML software.
That said having talked to the venders, without commercial IdP asking for it they are not likely to do anything with notice and consent.

Dynamic attribute release consent etc have found there way into openID / UMA / OAuth because they are newer and less enterprise focused.
I think SAML as a protocol is not the limiting factor, rather what parts of the protocols people elect to support.

I am hoping that the R&E community can show leadership on the issue,  because if it doesn't happen here SAML will be seen as lagging and not suitable for the new "Identity Ecosystem" .

On the library issue.  Libraries are good.  Getting complex layers of libraries available on all platforms is hard.   The easer it is for people to create those libraries, the more likely a protocol is to succeed.

The Goal with openID Connect is to place minimal requirements on the RP/SP because those are the hardest environments to predict.
Keep it simple and allow for more sophisticated clients to optimize the protocol and achieve  higher LoA by using asymmetric signatures and encryption if they require it.

John B.
On 2011-07-01, at 4:48 PM, Cantor, Scott E. wrote:

> On 7/1/11 4:41 PM, "John Bradley" <ve7jtb@xxxxxxxxxx> wrote:
>> SAML inherits a bad rap from XML canonicalization.  Simple sign  was an
>> attempt to address that, but it was not picked up.
> Which puts the lie to the library argument.
> They could also simply have encoded the SAML into JSON and maintained the
> semantics and a greater degree of code reuse.
> But, none of this really matters because we could deploy all this tomorrow
> and we'd still be refusing to release the data.
> -- Scott