Evolving Attribute Release Policies for campuses

[Cantor, Scott]

On 4/6/16, 3:25 PM, "users on behalf of Steven Carmody" <users-bounces at shibboleth.net on behalf of steven_carmody at brown.edu> wrote:



>I suspect that the differing interpretations of the use of 
>RequestedAttributes elements by R&S tagged SPs may be the result of 
>cultural differences, and the different legal frameworks that countries 
>have with respect to personal privacy. In some of the EU countries the 
>common understanding is that an IDP can only release to an SP those 
>attributes that are REQUIRED by the SP; that might be a subset of the 
>R&S bundle. If the site admins think that's what they're required to do 
>by the law .... then they'll likely look at the RequestedAttributes 
>elements. If the IDP is here in the US, well, welcome to the wild west !

That's all fine, but you don't get to tag yourself as supporting R&S if you do that. You can impose additional obligations if you need to, but this is a *misinterpretation* of the text, not an alternative one.

What confused all this is the language about requested attributes on the SP side.

>As an example, one of the centers here at Brown is sponsoring a 
>symposium. They have accepted papers from researchers at several 
>European universities. The local center wants to give those people 
>access to a controlled portion of a local web site. What will those 
>campuses release to the Brown site (which only needs EPPN) ? The 
>campuses are in Germany, Scotland, Switzerland, Canada, and France.

That's why opaque IDs are unworkable. When access control is based on OOB knowledge of a userID, you have to accept that your cboices are EPPN or mail. And that's the real world when we're talking about the collaboration use case. The enterprise model of opaque IDs is the right one in all kinds of ways, but it works because of the large feeds of user data from B2B.

-- Scott