
Hi Meshna,
On 15.03.21 18:14, Koren, Meshna (ELS-AMS) wrote:
"when no pairwise-id/eduPersonTargetedID is passed to the SP, the SP still should offer personalization based on a registered account ."
Human users tend to re-use passwords, and instead of protecting themselves behind the institutional credentials, they are sharing the password with SPs during the 'registration' and make themselves vulnerable. That's not how federated access is meant to work.
if you regard a registration as not secure enough, that's of course your choice. Maybe you could consider offering different options like PubMed does.
Also; as far as the user's choice goes; users don't understand what the consequences of releasing or not releasing a pesudonymous attribute are, and why should they. This system is too complicated for users to be able to make informed decisions.
Well, if the users don't understand why they release PII like a pairwise-id/eduPersonTargetedID, then we have a fundamental problem, because the consent wouldn't be free and informed and therefore would be invalid. So we have to explain this in a way the users can understand.
If you don't trust the SPs that they are not going to abuse personal data than that is what you need to address.
If an IdP doesn't trust an SP, an attribute like pairwise-id/eduPersonTargetedID of course shouldn't be released at all, and the trust issue indeed would have to be addressed. But that's not my point. The point is that we cannot force users to consent to releasing PII (like a pairwise-id/eduPersonTargetedID) that isn't necessary (if the user doesn't want to use the personalization) and deny access to resources necessary for their studies or research if the users don't give their consent - that again wouldn't be free and informed consent.
So this could get the institution into trouble, unless there is a comparable alternative (back to IP based access?) the users could be pointed to if they don't want the information to be released. Or the institution would have to argue that no consent is needed because releasing the attribute is necessary (which would be difficult for an optional feature like personalization).
Best regards, Bernd