JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  April 2005

JISC-SHIBBOLETH April 2005

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: Reed puts 300,000 at risk of online fraud: A good argument for using Shibboleth? Attribute Demand Policies

From:

"Paschoud,J" <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Thu, 14 Apr 2005 15:18:45 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (110 lines)

Ross,

[apologies for cross(-border) posting]

>If we'd had time during the session I'd like to have discussed where
>decisions about what attributes are reasonable (?) should be made - for the
>JISC community. Would it be a subtask of Federation management?
>Are there existing examples? This is on the resource provider side - which
>attributes could/should be requested, not the institution's ARP. (Tho' I
>guess it is the flip side of ARP, but with 'Release' replaced by 'Request'.)

I thought I'd try naming this thing you describe, as Attribute Demand Policies (ADPs) applied by a ResourceProvider (ReP; or ServiceProvider, if you must).  Then we won't get into having to distinguish ARPs from ARPs (if you follow me ;->).

I BCCd my message to Steven Carmody and Ken Klingenstein as well, and Steven has come back with a very similar issue, about a vendor 'unreasonably'(?) demanding identifying attributes.

In the JISC Info Environment context, where we record the ADP for a particular resource would obviously(?) seem to be in extensions to the current resources registry;  go talk to Ann Apps!

Internationally, this would indeed seem to be an important bit of Federation policy (v2), and as it's being pondered over on both sides of the Atlantic, should probably best happen on one of the Internet2 Shib lists.

It also occurs to me that encouraging the establishment of (some kind of) registry(ies) of the attributes that vendors typically demand to allow access to each of their identifiable services/resources (via an institutional license) would help us to establish the requirements for eduPerson, in a very pragmatic way.  I'm confident that Keith Hazelton is on shib-users, and that he'll pick that one up ;->

John

-----Original Message-----
From: Ross MacIntyre [mailto:[log in to unmask]]
Sent: 14 April 2005 10:26
To: [log in to unmask]
Subject: Re: [JISC-SHIBBOLETH] Reed puts 300,000 at risk of online
fraud: A good argument for using Shibboleth?


John,
Yes, I noted it too! Ironic since they've been a keen early adopter.

If we'd had time during the session I'd like to have discussed where
decisions about what attributes are reasonable (?) should be made - for the
JISC community. Would it be a subtask of Federation management?
Are there existing examples? This is on the resource provider side - which
attributes could/should be requested, not the institution's ARP. (Tho' I
guess it is the flip side of ARP, but with 'Release' replaced by 'Request'.)

I ask since we've just Shibbed Zetoc Search, which only really needs to know
your institution - since it includes institutional preferences. However,
also having some persistent identifier makes the sessioning more
straight-forward and resilient. Add to this that we *need* a persistent
identifier for Zetoc Alert, to link to previously declared search terms &/or
journal lists for notification. Is it not reasonable to say Zetoc needs both
Institutional Identifier plus Persistent Individual Identifier?

We've other examples of other info being required by the rights holder.
Typically data currently gathered via registration. Though it may also have
implications for exchange of attributes to/from any intervening gateway?

I wondered how commercial concerns have compromised between what is required
for the application/service to work as intended, what the rights holder may
require and what their Marketing Dept may like.

Cheers,
Ross
--------------------------------------------------------------------
Ross MacIntyre                   T: +44(0)161-275-7181
MIMAS Service Manager   F: +44(0)161-275-6071
Manchester Computing      M: +44(0)778-095-6424
The University of Manchester
Oxford Road
Manchester           M13 9PL                U.K.
Email: [log in to unmask]
--------------------------------------------------------------------

> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Paschoud,J
> Sent: 14 April 2005 08:20
> To: [log in to unmask]
> Subject: Reed puts 300,000 at risk of online fraud: A good argument for
> using Shibboleth?
>
> [apologies for cross-posting  - but it's not at all clear who are the
> intended target audiences for JISC-SHIBBOLETH and AUTHENTICATION, and
> how/if they overlap]
>
> "Reed puts 300,000 at risk of online fraud" is in the print Guardian of
> 13-Apr-05, and at:
> http://www.guardian.co.uk/business/story/0,,1458121,00.html
> "An online security breach at Reed Elsevier has allowed access to the
> personal details of hundreds of thousands of people - nearly 10 times as
> many as previously thought - the company admitted yesterday.
> The Anglo-Dutch group said personal information on as many as 310,000
> American citizens might have been accessed fraudulently in its Seisint
> division, part of LexisNexis."
>
> Unfortunately I read the paper after I'd given the last of my briefing
> sessions on Shibboleth at the UK Serials Group Conference yesterday  -
> because it would have been *such* a good way of illustrating the
> end-user privacy benefits of e-resources vendors (amongst which Reed
> Elsevier is globally dominant by a long chalk) moving from current
> methods of access management to Shibboleth  - and thereby us (libraries,
> universities, etc) *not* handing over to Elsevier personal information
> about our students and staff (that we're trusted with by those people),
> just so they can access services like LexisNexis!
>
> John
> --
> John Paschoud
> (Project Manager, PERSEUS: www.angel.ac.uk/PERSEUS/)
> (Project Manager, ShibboLEAP: www.angel.ac.uk/ShibboLEAP/)
> Projects Manager & InfoSystems Engineer
> LSE Library
> London School of Economics & Political Science

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager