Evolving Attribute Release Policies for campuses

Nick Roy nroy at internet2.edu
Thu Apr 7 17:11:10 EDT 2016

Steve, you should ask this question on the REFEDS list.  You'll probably get a lot more answers.  Not that that will help us get anywhere with this problem, but it will get you more data.


On 4/6/16, 2:03 PM, "users on behalf of Steven Carmody" <users-bounces at shibboleth.net on behalf of steven_carmody at brown.edu> wrote:

>On 4/6/16 3:35 PM, Cantor, Scott wrote:
>>> I suspect that the differing interpretations of the use of
>>> RequestedAttributes elements by R&S tagged SPs may be the result of
>>> cultural differences, and the different legal frameworks that countries
>>> have with respect to personal privacy. In some of the EU countries the
>>> common understanding is that an IDP can only release to an SP those
>>> attributes that are REQUIRED by the SP; that might be a subset of the
>>> R&S bundle. If the site admins think that's what they're required to do
>>> by the law .... then they'll likely look at the RequestedAttributes
>>> elements. If the IDP is here in the US, well, welcome to the wild west !
>> That's all fine, but you don't get to tag yourself as supporting R&S
>if you do that. You can impose additional obligations if you need to,
>but this is a *misinterpretation* of the text, not an alternative one.
>Looking at the use case I presented, your suggestion would be to 1) NOT 
>tag the site as R&S, and 2) use RequestedAttributes elements to request 
>So, a question for IDP operators in EU countries -- if the eduGain 
>metadata entry for my SP describes it as in the previous paragraph, 
>would you automatically release EPPN to my site ?
>Or would you release EPPN, based on user consent ?
>Or would you release nothing ?
>Thanks !
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list