Am 28.10.22 um 11:35 schrieb Mario Loffredo:
[PK] The text was proposed in the way which does not exclude certain
valid use-cases but still allows the RDAP server to set its own
policy on sharing data.
This is clear that RDAP server is acting as sort of Identity Provider
towards its clients, so the similar considerations about data sharing
shall apply. RDAP server may ask the user for the consent about
sharing PII as well, decision is clearly by the RDAP server operator.
[ML] Doesn't make sense to me that the RDAP server could operate as an
IdP proxy for RDAP clients. It's already a bit weird that in this
model the RDAP server acts simultaneously as a Relying Party and a
Resource Server but I admit that, when the RDAP client is a browser,
the RDAP server is the only intermediary application between the end
user and the IdP.
Instead of making the RDAP server more complex, the easy way is that,
if an RDAP client needs PII claims for providing the end user with a
better UX or for any other purpose, it should register with an IdP and
ask those claims to that IdP under the end user consent.
[PK] There is quite relevant drawback from this scenario, that there is
no assurance the identity provided to the RDAP client by the IdP would
be the same as the one used towards the RDAP server if there is no
relation. An IdP may hold more than one identity of the same user and
offer account selection in the authorization step.
Kind Regards,
Pawel
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
