Evolving Attribute Release Policies for campuses

[Steven Carmody]

On 4/6/16 3:35 PM, Cantor, Scott wrote:
>
>> I suspect that the differing interpretations of the use of
>> RequestedAttributes elements by R&S tagged SPs may be the result of
>> cultural differences, and the different legal frameworks that countries
>> have with respect to personal privacy. In some of the EU countries the
>> common understanding is that an IDP can only release to an SP those
>> attributes that are REQUIRED by the SP; that might be a subset of the
>> R&S bundle. If the site admins think that's what they're required to do
>> by the law .... then they'll likely look at the RequestedAttributes
>> elements. If the IDP is here in the US, well, welcome to the wild west !
>
> That's all fine, but you don't get to tag yourself as supporting R&S
if you do that. You can impose additional obligations if you need to,
but this is a *misinterpretation* of the text, not an alternative one.
>

Looking at the use case I presented, your suggestion would be to 1) NOT 
tag the site as R&S, and 2) use RequestedAttributes elements to request 
EPPN.

So, a question for IDP operators in EU countries -- if the eduGain 
metadata entry for my SP describes it as in the previous paragraph, 
would you automatically release EPPN to my site ?

Or would you release EPPN, based on user consent ?

Or would you release nothing ?

Thanks !