Interfederation

[Scott Koranda <>]

Hi,

On Fri, Jun 7, 2013 at 10:28 AM, Steven Carmody
<>
 wrote:
> Hi,
>
> One of the problems that edugain has encountered over the last several years
> has been finding an approach whereby IDPs would be comfortable releasing
> attributes to SPs without worrying about exposure under the EU Privacy
> Directive. A refeds and Geant sponsored effort (The Data Protection Code of
> Conduct https://refeds.terena.org/index.php/Data_protection_coc ) has
> created a framework that provides both IDPs and SPs a common approach that
> allows both entities to be comfortable that they are operating in compliance
> with the EU Privacy Directive without having a bilateral contract in place.
> The CoC was piloted by several Federations with the CLARIN VO; the pilot
> produced several recommendations to simplify the CoC.
>
> The current CoC, tho, only addresses releasing attributes between parties
> that are members of the EU/EEA, or are recognized as having privacy law that
> is comparable to the EU's (eg Canada). As we all know, the US isn't an EU
> member. The EU does recognize the US Commerce Depts "Safe Harbor" Program;
> unfortunately, that program explicitly excludes Higher Ed.
>
> There is a refeds work effort this year to extend the CoC beyond the Eu.
> There has been some conversation with the Brussels-based lawyer who helped
> to develop the CoC, and he has made some recommendations on how to proceed
> with extending the CoC.
>
> I think this group's report should make some mention of the attribute
> release issues. In addition, we might want to discuss forwarding Patrick's
> thoughts to the IC lawyers for review.
>
> This hasn't been an issue in our pilots (LIGA and Cardiff), but is likely to
> be an issue as we scale up.

It has been an issue to some extent. Cardiff is only releasing an
opaque ePPN instead of an ePPN that identifies the user. Right now the
application (Foswiki) converts the ePPN to a suitable WikiName, but
since the ePPN is opaque the WikiName is also opaque, and the users
immediately noticed and complained. So I have not invited more UK
users to use the application and would not call it in production.

I have plans to "fix" this problem using COmanage to enroll the user,
consume proper identifiers self-asserted by the users, map them to the
opaque ePPN, and then make them available from a SAML attribute
authority. That work is ongoing.

I also, however, had a conversation with Andrew Cormack from the UK
and we agreed that the use of an identifying attribute (like ePPN) is
an acceptable use for the wiki because the user's reputation is linked
to his or her name and is the basis on which he or she contributes
information to the wiki to be consumed by others. Acceptable here
really means acceptable by the current EU/UK law (I am not a lawyer,
but Andrew is, for those that do not know him).

So I plan to (gently) approach the Cardiff IdP operator (Rhys Smith)
and with Andrew's assistance (or at least leveraging his knowledge)
see if I can persuade the IdP operator to release an ePPN that is not
opaque (or perhaps also release displayName, sn, givenName, or
something like that).

Thanks,

Scott K for LIGO