Date: Thu, 28 Mar 2024 09:12:23 +0000 (UTC)
Message-ID: <967313043.29.1711617143888@wiki-prod.refeds.org>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_28_395036060.1711617143886"
------=_Part_28_395036060.1711617143886
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
2022-02-10 R&S 2.0 Notes
2022-02-10 R&S 2.0 Notes
Attendees
Pre-reading
WG Consensus
- The Anonymous Access, Pseudonymous Access, and Personalized Access Enti=
ty Categories shall be harmonized based on the decisions made around Person=
alized Access.
- Authorization guidance shall be split out into a separate, descriptive =
paper and not be part of any of the entity categories.
- The names should be "Access Entity Category" not "Authorization Entity =
Category" - 10 January 2022
- We will not include assurance requirements to the Anonymous Access Enti=
ty Category - 10 January 2022
- We will take out wording in Anonymous that Section 4 that requires proo=
f while leaving in wording that requires documentation for Registration Req=
uirements - 24 January 2022
Agenda
- Verify WG Consensus items
- Review proposed changes to Anonymous and Pseudonymous ECs
- P=C3=A5l to match up Pseudonymous and Personalized EC's based on change=
s made to Anonymous
- Review initial draft for authorization (Scott C's action item from last=
call) - Fe=
derated Authorization Best Practices
- "I think it's important that a service that requires only the former bu=
t can do the latter be able to assert both. We should take care to author t=
he changes to both of them to ensure that's sensible. It shouldn't worded s=
o strictly that you have to pick only one."
Notes
- Verify WG Consensus items
- Review proposed changes to Anonymous and Pseudonymous ECs
- P=C3=A5l to match up Pseudonymous and Personalized EC's based on change=
s made to Anonymous
- Note that we need to make sure to add a section on authorization that w=
ill point to the Federated Authorization Best Practices; a to-do currently noted i=
n Section 6 of AA
- We do still have authorization in the ECs and attributes outside the sc=
ope of these specs. That needs to be addressed.
- Significant discussion on whether Anonymous needs registration criteria=
at all. Is that valid for authentication only? As is, it implies processin=
g personalized data where no personalized data exists.
- "So we don=E2=80=99t want to keep the first 4.1 - the need for this inf=
ormation ? use of this EC is to get org/affil value returned=E2=80=A6=
why do they need those and not just a blank attribute bundle ?" that would=
be very hard to document and prove, and since it's not PII, is it even nec=
essary to ask?
- Since Anonymous was originally intended to help SPs avoid getting user =
data they did not want, let's explicitly state that that's what this EC is =
about.
- Review initial draft for authorization (Scott C's action item from last=
call) - Fe=
derated Authorization Best Practices
- "I think it's important that a service that requires only the former bu=
t can do the latter be able to assert both. We should take care to author t=
he changes to both of them to ensure that's sensible. It shouldn't worded s=
o strictly that you have to pick only one."
- Ran out of time: Will come back to this on a future call
------=_Part_28_395036060.1711617143886--