...
Andrew is doing a lot of work on trust framework enablement. He's hoping they can quickly model new patterns, to assess how they might come into Kantara's (meta-)framework. George expresses concern about getting trust frameworks to work in the consumer IdP context. We discussed this dilemma a bit: Is social login net negative for individuals? Are we actually reducing the number of times a user is asked for a password at new sites, which is supposedly one of the goals? Some sites are asking for a local password to be assigned as a backup if the IdP is down, for example. Business models for consumer-facing sites and apps distort the picture in weird ways.
Optimization opportunities:
...
RS=C
Bob has to become known to the AS, since the AS has to be a claims client for satisfying Alice's policy. There may be some elements of optimizations that depend on the nature of the claims required. The RS is dependent on the AS to figure out if Bob is okay. Should there be a flow where Bob shows up at Flickr, Flickr asks him to log in even if he doesn't have a Flickr account, and then the RS/client (Flickr) presents the resulting ID token to the AS on his behalf? RPT-getting could potentially be simplified. (Eve wonders if AAT-getting could also be simplified or at least performed as part of some other account setup earlier, since Flicker knows it's both an RS and a C.) Thomas observes that Flickr needs to distinguish when it's in an RS role vs. a C role, for binding obligations purposes.
...