Evolving Attribute Release Policies for campuses

Cantor, Scott cantor.2 at osu.edu
Wed Apr 6 16:07:47 EDT 2016

On 4/6/16, 3:59 PM, "users on behalf of Steven Carmody" <users-bounces at shibboleth.net on behalf of steven_carmody at brown.edu> wrote:

>But, for non-academic-SPs within IC, do I really want to trust that 
>they've accurately portrayed the needs of their application with their 
>RequestedAttributes elements ?

I think you can assume they mostly don't exist, or are wrong, or are just not possible to easily express (if we bring isRequired into the conversation). So I have the same answer I gave on the participants list, no, I would not be using that as a basis for attribute release.

In some communities there may be a different answer, but with eduGAIN in the mix, I just don't think those community boundaries work.

> I don't think that anyone polices those elenents. So I'm back to relying on the IC Participation Agreement, Section 9 ?

That doesn't apply to eduGAIN, so I think that's being short sighted. I would be looking to what *you* need to mitigate risk without reference to the RP. Maybe that's consent, maybe it's the directory data classification, etc. And maybe it's "nope, not worth it". I don't think that the set of SPs you're talking about represent a critical constituency for my users.

Honestly, I think the bigger problem is the don't ask, don't tell aspect of this for US universities as it pertains to European students. That's not a fun can of worms to open.

-- Scott

More information about the users mailing list