OASIS IDtrust Steering Committee

 View Only
Back to discussions
Expand all | Collapse all

Contractual privity in OIX and NS-TIC

  • 1.  Contractual privity in OIX and NS-TIC

    Posted 09-13-2010 16:10 
    Hi Stephen,

    OIX is currently working on those issues.

    The situation with assertion based protocols like SAML, OpenID and IMI are slightly different in that the CSP is involved in making the individual assertion and may  not be willing to make assertions to RP who are not signatories to a appropriate agreement.

    The RP may be subject to Levels of Data protection agreements as well as Levels of Control agreements relating to the Data Subjects information.

    Liability is the consequence of the failure of a system not one of the inputs.   OIX and Kantara are working with the US Gov and others to produce rules that result in Duties of the parties that can then be used evaluate there participation.

    At the end of the day parties will still have an ability to take action, if there is a breach.  Hopefully the system can be designed to that is the exception rather than the rule.

    You can contact Scott David <scott.david@klgates.com> who is working on this for OIX and the ABA-IDM Task Force.

    He can point you to much more accurate information than I can on the issues.

    Regards
    John B.

    On 2010-09-13, at 11:29 AM, Dee Schur wrote:

    Hi,
    Please review Stephen’s questions below and respond.
    Thanks,
    Dee
    Dee Schur, Senior Manager - Standards Advocate
    OASIS: Advancing open standards for the information society
    http://www.oasis-open.org
    +1.978.667.5115 x211


    ------------------------

    I am sure that many will recall the problem of "contractual privity" from the the early days of PKI.  The problem is that becuase there is normally no contract between a CA and a Relying Party, it is hard to manage legal risks when the CA has no control over how a Subject is going to use their certificate.

    One popular legal tactic was to try to create some sort of privity, by asking RPs to sign up to a Relying Party Agreement.  I remember when working on the beTRUSTed CA being advised circa 2000 that the RP 
    Agreement gave us no guarantee but was "better than nothing".

    A careful study by reputable e-commerce lawyers commissioned by the Australian Government in 2000 concluded "It is very uncertain how Australian law will apply to the relationship and allocation of risk 
    between CAs and RPs" [Ref: "Legal liability and e-transactions"http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan014676.pdf. 

    Two questions:

    1. Do any lawyers in IDtrust know of developments in respect of contractual privity that have since clarified the allocation of risk  between CAs and Relying Paries?

    2. Why wouldn't the same uncertainties apply to IDPs in the Open Identity Exchange and the ecosystem envisaged by the National Strategy for Trust Identities in Cyberspace (NS-TIC)?

    Cheers,

    Steve Wilson
    Lockstep
    www.lockstep.com.au.









Related Content