[apologies for cross(-border) posting]
>If we'd had time during the session I'd like to have discussed where
>decisions about what attributes are reasonable (?) should be made - for the
>JISC community. Would it be a subtask of Federation management?
>Are there existing examples? This is on the resource provider side - which
>attributes could/should be requested, not the institution's ARP. (Tho' I
>guess it is the flip side of ARP, but with 'Release' replaced by 'Request'.)
I thought I'd try naming this thing you describe, as Attribute Demand Policies (ADPs) applied by a ResourceProvider (ReP; or ServiceProvider, if you must). Then we won't get into having to distinguish ARPs from ARPs (if you follow me ;->).
I BCCd my message to Steven Carmody and Ken Klingenstein as well, and Steven has come back with a very similar issue, about a vendor 'unreasonably'(?) demanding identifying attributes.
In the JISC Info Environment context, where we record the ADP for a particular resource would obviously(?) seem to be in extensions to the current resources registry; go talk to Ann Apps!
Internationally, this would indeed seem to be an important bit of Federation policy (v2), and as it's being pondered over on both sides of the Atlantic, should probably best happen on one of the Internet2 Shib lists.
It also occurs to me that encouraging the establishment of (some kind of) registry(ies) of the attributes that vendors typically demand to allow access to each of their identifiable services/resources (via an institutional license) would help us to establish the requirements for eduPerson, in a very pragmatic way. I'm confident that Keith Hazelton is on shib-users, and that he'll pick that one up ;->
From: Ross MacIntyre [mailto:[log in to unmask]]
Sent: 14 April 2005 10:26
To: [log in to unmask]
Subject: Re: [JISC-SHIBBOLETH] Reed puts 300,000 at risk of online
fraud: A good argument for using Shibboleth?
Yes, I noted it too! Ironic since they've been a keen early adopter.
If we'd had time during the session I'd like to have discussed where
decisions about what attributes are reasonable (?) should be made - for the
JISC community. Would it be a subtask of Federation management?
Are there existing examples? This is on the resource provider side - which
attributes could/should be requested, not the institution's ARP. (Tho' I
guess it is the flip side of ARP, but with 'Release' replaced by 'Request'.)
I ask since we've just Shibbed Zetoc Search, which only really needs to know
your institution - since it includes institutional preferences. However,
also having some persistent identifier makes the sessioning more
straight-forward and resilient. Add to this that we *need* a persistent
identifier for Zetoc Alert, to link to previously declared search terms &/or
journal lists for notification. Is it not reasonable to say Zetoc needs both
Institutional Identifier plus Persistent Individual Identifier?
We've other examples of other info being required by the rights holder.
Typically data currently gathered via registration. Though it may also have
implications for exchange of attributes to/from any intervening gateway?
I wondered how commercial concerns have compromised between what is required
for the application/service to work as intended, what the rights holder may
require and what their Marketing Dept may like.
Ross MacIntyre T: +44(0)161-275-7181
MIMAS Service Manager F: +44(0)161-275-6071
Manchester Computing M: +44(0)778-095-6424
The University of Manchester
Manchester M13 9PL U.K.
Email: [log in to unmask]
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Paschoud,J
> Sent: 14 April 2005 08:20
> To: [log in to unmask]
> Subject: Reed puts 300,000 at risk of online fraud: A good argument for
> using Shibboleth?
> [apologies for cross-posting - but it's not at all clear who are the
> intended target audiences for JISC-SHIBBOLETH and AUTHENTICATION, and
> how/if they overlap]
> "Reed puts 300,000 at risk of online fraud" is in the print Guardian of
> 13-Apr-05, and at:
> "An online security breach at Reed Elsevier has allowed access to the
> personal details of hundreds of thousands of people - nearly 10 times as
> many as previously thought - the company admitted yesterday.
> The Anglo-Dutch group said personal information on as many as 310,000
> American citizens might have been accessed fraudulently in its Seisint
> division, part of LexisNexis."
> Unfortunately I read the paper after I'd given the last of my briefing
> sessions on Shibboleth at the UK Serials Group Conference yesterday -
> because it would have been *such* a good way of illustrating the
> end-user privacy benefits of e-resources vendors (amongst which Reed
> Elsevier is globally dominant by a long chalk) moving from current
> methods of access management to Shibboleth - and thereby us (libraries,
> universities, etc) *not* handing over to Elsevier personal information
> about our students and staff (that we're trusted with by those people),
> just so they can access services like LexisNexis!
> John Paschoud
> (Project Manager, PERSEUS: www.angel.ac.uk/PERSEUS/)
> (Project Manager, ShibboLEAP: www.angel.ac.uk/ShibboLEAP/)
> Projects Manager & InfoSystems Engineer
> LSE Library
> London School of Economics & Political Science