Monday, November 21, 2005

imho Liability SP or institutions


Per your message: Span

Latest installment:

Lies and liability. Dupes and duplicity. Assertions and near-certain litigation.

When is the asserting party (the identity provider, or IdP) liable for asserting (deliberately or inadvertently) what, upon closer inspection, turns out to be an untruth, and when is the relying party (the service provider, or SP) liable for not using standard verification mechanisms prior to relying upon that untruth?

When is an assertion, if not a lie, simply null and void, in terms of having exceeded its maximum time to live, as specified in trust agreement between IdP and SP? Or, if not null and void, out of its intended context, in terms of being relied upon for an application that the IdP and SP agreed is out of bounds? Or being misconstrued as implying a higher degree of assurance than warranted by the policies and practices of the IdP, as asserted between consenting lawyers at conception (of the trust agreement between the two organizations)?

Federations, built on contractually codified “trust relationships,” threaded back and forth by assertions and actions taken in response to those assertions, can easily crash in acrimony. And liability can get muddied in the complexity of federated IdM environments. Add more assertions, messages, flows, and parties to a federation scenario, and you're effectively adding more legal nuance that a smart lawyer can swing to their client's advantage, wiggling out of any liability and shifting it to others in the federation.

Try explaining the intricacies of a multidomain SAML 2.0 federated SSO environment to a jury of your peers. It’s all just a mess of messages, after all. Are your federation agreements spelling out the precise choreography and content of assertions that constitute legal binding contracts among IdPs and SPs?

Do your lawyers truly understand any of this? Can they defend it effectively in a court of law?