We have a draft set of rules that are intended to govern how we manage our
attribute policies (there's a rough, unofficial copy at [1] - note that
'lookup' is our internal LDAP-based directory). Amongst other things this
draft proposes that non-anonymous attributes (including ePPN) will not be
released outside the University unless it is necessary to do so, only to
SPs who have entered into contractual or other arrangements that provide
adequate levels of protection for the data, and only after approval by an
appropriate University officer. I should say that we intend to require
on-line approval from the user for the release of their attributes the
first time they access each new SP.
Senior figures in the University have suggested that this is too
restrictive and that unless it can be relaxed (in particular in respect of
ePPN) they feel that there may be no point in our deploying a Shibboleth
IdP.
They concentrate on the example of a Shib-protected Wiki run on an ad-hoc
basis by a research group, perhaps in the US, which is protected by an ACL
listing ePPNs (not, in fact, unlike the Shibboleth project Wiki itself).
They feel that it should be possible for a member of the University to
gain access to this Wiki by simply supplying their ePPN to the Wiki
operators. In particular they believe that this should work by default
without requiring explicit IdP configuration or central approval (subject
only to the user's permission the first time they contact the wiki), and
they feel that it must not require a data processing contract since the
Wiki operators may not be able to provide one given their 'unofficial'
status within their organisation.
I would welcome comments from the rest of the UK Shibboleth community (to
the list or to me direct) on this, in particular on the data protection
issues that I believe it raises.
Jon.
[1] http://mnementh.csi.cam.ac.uk/draft-shib-attrib-meta-policy.html
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|