eric,
it seems to me that you have already answered your question.
abbie
-----Original Message-----
From: Eric Burger [mailto:eburger(_at_)snowshore(_dot_)com]
Sent: Monday, October 21, 2002 10:35 PM
To: OPES Group
Subject: Privacy Considerations (4.5) in opes-authorization-00
How can a user know that the PDP has user profiles so they
can limit the promulgation of their profile data?
As pointed out in the thread on Authentication Requirements,
how does the PROTOCOL limit traffic data from being sent to
third parties? How does the PROTOCOL know the difference
between a server run by the service provider and a server run
by a third party?
In the real world, the user and the service provider enter
into a trust agreement (outside of the protocol). Part of
that agreement is that the service provider can or cannot let
third parties do work on their behalf. This, again, is
outside of the protocol. POLICY dictates whether a service
provider may or may not send traffic data to third parties.