Another less benign possibility is different operators who have a shared pseudonymous identifier and different sets of (on their own) non-identifying personal information getting together such that the set of information becomes enough to now identify an individual.
This is why the identifier should be targeted as narrowly as possible by default, and only targeted more broadly when the advantages outweigh the risks, or when there's policy in place to manage the risks.
Rhys,
Sent from a device without a real keyboard, so excuse any typos!
> On 23 May 2014, at 22:10, "Stefan Paetow" <[log in to unmask]> wrote:
>
> Oh, I see.
>
> Impersonation being one less benign possibility… Yes, that's true. If a site has control over its RP proxy, that's probably very unlikely, but if a central RP proxy served several sites (take Oxford Uni as an example), then it's a distinct possibility?
>
> Perhaps that's something we may need to keep in mind for the policy…
>
> Stefan
>
>
>
> ________________________________________
> From: Josh Howlett
> Sent: 23 May 2014 21:51
> To: Stefan Paetow; [log in to unmask]
> Subject: RE: Attribute filtering / access control with moonshot
>
>>> There is also value for an IdP in having the option to choose between
>>> releasing identifiers for realm and/or CoI. It is in effect a
>>> mechanism for the IdP to manage its tolerance of collusion between
>> realms.
>>
>> Collusion? Sorry, could you explain more in detail?
>
> Collusion meaning the sharing of identifiers. It can either be benign, or not, depending on the goals of the colluders. If it is a research VO, it is probably benign. But clearly there are less benign possibilities.
>
> Josh.
>
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|