Subject Re: draft charge, refeds working group on attribute release
From "Leif Johansson" <leifj@xxxxxxxx>
Date Fri, 1 Jul 2011 14:36:16 +0200

Clearly consent has its uses. I am just saying it isn't always appropriate and I have not yet seen a convincing counter-argument to what Andrew has been saying for some time now.   

1 jul 2011 kl. 13:37 skrev "David Simonsen" <david@xxxxxxx>:

> On Jul 1, 2011, at 12:23 PM, Leif Johansson wrote:
>> On 07/01/2011 12:19 PM, Mikael Linden wrote:
>>>> Not at all. Here is why: public entities that recieve the 
>>>> social security number as part of their duties/business 
>>>> may do so without the users consent. 
>>>> But they MUST tell the user about what information it 
>>>> recieved and for what purpose. This sounds pretty much 
>>>> like the requiments for user-consent, don't you think?
>>> David,
>>> You just described the difference between attribute release based on user consent and attribute release based on necessity. The issue Andrew has been explaining us several times.
>>> In both cases you must inform the end user on the attribute release.
>>> Consent!=Necessity. The difference between the two is technically small but legally significant:
>>> - the text in the button is either "I consent to attribute release" or "I am informed on the attribute release"
>>> - if attribute release is based on consent, the consent can be withdrawn any time.
>>> mikael
>> Exactly - and you know it has to be right when Michael, Andrew
>> *and* me agree on something. Take a picture folks - it probably
>> won't happen again in your lifetimes :-)
> Not so fast, Leif ;)
> A crusual point in the discussion is weather the IdP may by itself deem an attribute release 'nesscary' (IMHO a highly slippery slope) - or wether it is legally stated as being so (by legal experts!). Remember we don't only talk about public SP's serving public IdPs here, but also commercial ones, in other countries (you heard about the Internet, rigtht?) etc. There is much more to it than what the IdP thinks is most convinient or deem 'nessecary'. Hence the jungle - which in all cases, so far, is covered by user-consent. And hence the (DK) consensus that user-consent is the way to go, not at least as a principle cautiousness in what all recognize as the 'early days of federations' where personal information is used for authorization in changing security domains.
> Mikael, I have not yet come across / thought about a sinlge-button-interface saying "I am informed on the attribute release" - but we should perhaps consider that option, as one uni actually has a use case where they want to technically implement the 'information duty'. The suggestion has been to welcome the user at the SP with information about the PI recieved and the purpose description.
> /David