FAL2 - Privacy Requirements

[dhs-BI]

As an enterprise focused profile, should IPSIE take on the privacy requirements of SP800-63Crev4 section 3.9 as seen in #71? Privacy requirements differ around the world and are likely subject to business agreements that are outside of the scope of an IPSIE profile.

chair hat off
I recommend that IPSIE does not require implementers to follow these controls. IPSIE should recommend that implementers devise and document their privacy controls.
chair hat on

[mcguinness]

One approach is to require the OP to support technical controls that a deployment could leverage to address privacy requirements but not require the RP to implement such as

• Assertion Encryption
• Claims Request for fine-grained attribute release
• Pair-wise identifiers

[deansaxe]

Thank you @mcguinness. I believe we can include this as non-normative guidance. I'll assign myself this issue to write this guidance. On a previous call we discussed pulling this common guidance into a doc that is useful across different federation protocols (e.g. use of TLS, DNSSec, etc.). I'll plan on including this guidance in that doc.

[deansaxe]

I have published a draft to address this issue. Please see https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html.