Print

Print


* Alistair Young <[log in to unmask]> [2008-12-10 18:11]:
> SPs in the federation get round privacy issues by just asking for
> your personal information once you're past shibboleth authn/authz
> and then link it with your ePTID.

Note that according to a recent draft by Andrew Cormack (archived at
http://www.terena.org/mail-archives/refeds/msg00373.html ) this
practice would probably make the ePTID itself "personal data" per
the Data Protection Directive (95/46/EC):
                                                
  "Clearly if a service provider subsequently collects information that
   allows them to link the identifier to the real-world person (for
   example by asking the user for their name or e-mail address) then
   the identifier will become personal data, subject to all the
   compliance requirements of EU and national laws."

Which will significantly reduce ePTID's general usefulness (e.g. by
requiring informed consent, which is quite a challenge in this case:
try to explain this attribute to your average student or professor).

So as far as "getting around privacy issues" is concerned, you might
just as well be passing on ePPN or email (not that I'm suggesting
this).

cheers,
-peter

-- 
[log in to unmask] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140