"A subscriber’s information SHALL NOT be transmitted between IdP and RP for any purpose other than those described in Section 5.2, even when those parties are whitelisted." is inconsistent with what Section 5.2 discusses - that of revealing what the subscriber has done to others. This sentence and the reference does not provide guidance for what the IdP can transmit. Digital identity? Attributes? FAL? In addition, there is a mismatch between this statement's noun: "information" and Section 5.2's: "activities".
Suggestion: Consider rephrasing this sentence in the positive, stating either the type of information or the purposes allowed.
(Submitted by MITRE)
In 800-63C, Section 4.2, fourth paragraph:
"A subscriber’s information SHALL NOT be transmitted between IdP and RP for any purpose other than those described in Section 5.2, even when those parties are whitelisted." is inconsistent with what Section 5.2 discusses - that of revealing what the subscriber has done to others. This sentence and the reference does not provide guidance for what the IdP can transmit. Digital identity? Attributes? FAL? In addition, there is a mismatch between this statement's noun: "information" and Section 5.2's: "activities".
Suggestion: Consider rephrasing this sentence in the positive, stating either the type of information or the purposes allowed.