Evolving Attribute Release Policies for campuses

[Steven Carmody]

On 4/6/16 3:35 PM, Cantor, Scott wrote:
>
>> I suspect that the differing interpretations of the use of
>> RequestedAttributes elements by R&S tagged SPs may be the result of
>> cultural differences, and the different legal frameworks that countries
>> have with respect to personal privacy. In some of the EU countries the
>> common understanding is that an IDP can only release to an SP those
>> attributes that are REQUIRED by the SP; that might be a subset of the
>> R&S bundle. If the site admins think that's what they're required to do
>> by the law .... then they'll likely look at the RequestedAttributes
>> elements. If the IDP is here in the US, well, welcome to the wild west !
>
> That's all fine, but you don't get to tag yourself as supporting R&S
if you do that. You can impose additional obligations if you need to,
but this is a *misinterpretation* of the text, not an alternative one.
>
> What confused all this is the language about requested attributes on the SP side.
>

As a US-based IDP operator, I have some level of trust that IC sites 
tagged as R&S are "academic in nature", and thus unlikely to abuse 
attributes. So I can safely release the bundle, whether or not they need 
all those attributes.

But, for non-academic-SPs within IC, do I really want to trust that 
they've accurately portrayed the needs of their application with their 
RequestedAttributes elements ? I don't think that anyone polices those 
elenents. So I'm back to relying on the IC Participation Agreement, 
Section 9 ?