The life of the authenticating info?

[Richard 'toast' Russo]

On Fri, 20 May 2005, Ben Hyde wrote:

> What are the rules, or advice, for a suspicious site about retaining the 
> information it collects while during an authentication.   Is any of the info 
> collected private to any of the parties?

The information collected during authentication would be:

asserted identity url
signature generated by the identity server
connection information (ip addresses involved, etc)
http headers
timestamps

Am i missing anything?

Other than the asserted identity url (which should probably be assumed 
public), the other stuff probably fits into the shady netherworld of your 
privacy policy.

> I got to wondering about this because I'd assumed that the information would 
> be retained so if a complaint arose about the submitted comment the 
> suspicious site could use the collected info to file a complaint.  For 
> example it might file the complaint via the id service end point. 
> Alternately it might file a complaint with a third party reputation service 
> of some kind.   Enabling both of those seems highly desirable but it isn't 
> clear that the design as it stands is ready to support that.

I would likely retain the same information that you retain for traditional
authentication on your site.  Being able to give useful information to the 
id server in case of abuse is nice though.  Having some sort of reputation 
service sounds scary, but would probably be useful.

> So I backed up and tried to figure out what the benefits and risk retaining 
> and or revealing the info has.
>