[Fim4l] a few meta-comments about the LexisNexis Advance Thread

Bernd Oberknapp bo at ub.uni-freiburg.de
Tue Mar 16 13:06:08 CET 2021


Hi Meshna,

On 16.03.21 09:32, Koren, Meshna (ELS-AMS) wrote:

 > 2. There's a whole *trust infrastructure* in place for the IdP to be
 > able to make an informed decision about what to send in SAML assertion
 > in advance; the academic community has been working really hard for the
 > last 20 years to build, maintain, scale and improve it; through
 > federations, REFEDS, Baseline Expectations, CoCo, SIRTFI, etc.
 >
 > There's room for improvement, it's a process, but what you're saying by
 > inserting a 'pick and choose PII' screen between a user and an article
 > is that as an IdP you essentially don't trust this trust infrastructure,
 > and that a student is able to make a better decision about that than a
 > manager of an IdP... and well, that's just not true.

no, what I'm saying is that the IdP manager/library can or at least 
should not make that decision on behalf of the user if the PII isn't 
required and consent is used as a legal basis. The IdP manager/library 
could try to make that decision for the user, but this could get the IdP 
manager/library into trouble if a user who doesn't want that PII to be 
released files a complaint.

And of course there is a legal obligation to at least inform the user 
about the release of PII, so we can't completely get rid of that screen. 
I like Peter's idea to inform the user on the SP side, but I think that 
would be problematic because at that point the PII already has been 
released.

What I indeed don't trust are the attribute declarations in the 
federation metadata, partially because of the technical limitations (no 
OR and therefore no possiblity to declare alternatives) but mainly 
because there are obviously different opinions about when "required" 
should be used. My definition would be: if I can omit an attribute and 
access still works, the attribute is optional, not required.

Best regards,
Bernd

-- 
Bernd Oberknapp
Gesamtleitung ReDI

Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg        | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3987
E-Mail:   bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20210316/c6fa0c18/attachment.p7s>


More information about the FIM4L mailing list