Evolving Attribute Release Policies for campuses
steven_carmody at brown.edu
Wed Apr 6 15:59:35 EDT 2016
On 4/6/16 3:35 PM, Cantor, Scott wrote:
>> I suspect that the differing interpretations of the use of
>> RequestedAttributes elements by R&S tagged SPs may be the result of
>> cultural differences, and the different legal frameworks that countries
>> have with respect to personal privacy. In some of the EU countries the
>> common understanding is that an IDP can only release to an SP those
>> attributes that are REQUIRED by the SP; that might be a subset of the
>> R&S bundle. If the site admins think that's what they're required to do
>> by the law .... then they'll likely look at the RequestedAttributes
>> elements. If the IDP is here in the US, well, welcome to the wild west !
> That's all fine, but you don't get to tag yourself as supporting R&S
if you do that. You can impose additional obligations if you need to,
but this is a *misinterpretation* of the text, not an alternative one.
> What confused all this is the language about requested attributes on the SP side.
As a US-based IDP operator, I have some level of trust that IC sites
tagged as R&S are "academic in nature", and thus unlikely to abuse
attributes. So I can safely release the bundle, whether or not they need
all those attributes.
But, for non-academic-SPs within IC, do I really want to trust that
they've accurately portrayed the needs of their application with their
RequestedAttributes elements ? I don't think that anyone polices those
elenents. So I'm back to relying on the IC Participation Agreement,
Section 9 ?
More information about the users