[Fim4l] a few meta-comments about the LexisNexis Advance Thread
Bernd Oberknapp
bo at ub.uni-freiburg.de
Tue Mar 16 13:06:08 CET 2021
Hi Meshna,
On 16.03.21 09:32, Koren, Meshna (ELS-AMS) wrote:
> 2. There's a whole *trust infrastructure* in place for the IdP to be
> able to make an informed decision about what to send in SAML assertion
> in advance; the academic community has been working really hard for the
> last 20 years to build, maintain, scale and improve it; through
> federations, REFEDS, Baseline Expectations, CoCo, SIRTFI, etc.
>
> There's room for improvement, it's a process, but what you're saying by
> inserting a 'pick and choose PII' screen between a user and an article
> is that as an IdP you essentially don't trust this trust infrastructure,
> and that a student is able to make a better decision about that than a
> manager of an IdP... and well, that's just not true.
no, what I'm saying is that the IdP manager/library can or at least
should not make that decision on behalf of the user if the PII isn't
required and consent is used as a legal basis. The IdP manager/library
could try to make that decision for the user, but this could get the IdP
manager/library into trouble if a user who doesn't want that PII to be
released files a complaint.
And of course there is a legal obligation to at least inform the user
about the release of PII, so we can't completely get rid of that screen.
I like Peter's idea to inform the user on the SP side, but I think that
would be problematic because at that point the PII already has been
released.
What I indeed don't trust are the attribute declarations in the
federation metadata, partially because of the technical limitations (no
OR and therefore no possiblity to declare alternatives) but mainly
because there are obviously different opinions about when "required"
should be used. My definition would be: if I can omit an attribute and
access still works, the attribute is optional, not required.
Best regards,
Bernd
--
Bernd Oberknapp
Gesamtleitung ReDI
Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg | D-79016 Freiburg
Telefon: +49 761 203-3852
Telefax: +49 761 203-3987
E-Mail: bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20210316/c6fa0c18/attachment.p7s>
More information about the FIM4L
mailing list