Subject RE: draft charge, refeds working group on attribute release
From "Glenn Wearen" <glenn.wearen@xxxxxxxxx>
Date Fri, 1 Jul 2011 14:08:46 +0100

I took a look at the Refeds wiki, this is how I interpret the statements
each federation has made about consent.

Consent recommended			3 
No policy 					4
consent mandatory unless where 'necessary' 15

I wasn't sure which of the above SIR falls into.

Note that consent is mandatory in some federations even where the necessity
clause could be relied upon or the data contains non-PII

I'm not aware of any federation that polices mandatory consent.

Maybe the wiki should be a multi-select;
1 Consent Recommended for all attributes
2 Consent Recommended for some attributes
3 Consent Recommended for any  attributes not covered by necessity
4 Consent Mandatory for all attributes
5 Consent Mandatory for some attributes
6 Consent Mandatory for any attributes not covered by necessity
7 Consent is neither recommended nor mandatory
8 User must be provided a link to SP privacy statement
9 User must be provided a link by IdP list of necessary SPs


HEAnet Ltd. Ireland's Education and Research Network 
Registered in Ireland, no 275301.
5 Georges Dock, I.F.S.C. Dublin 1, Ireland. Tel +353 1 6609040.
Keep up to date on with Edugate developments on

-----Original Message-----
From: Mikael Linden [mailto:Mikael.Linden@xxxxxx] 
Sent: Friday, July 01, 2011 1:13 PM
To: David Simonsen; Leif Johansson
Cc: Chad La Joie; REFEDS list
Subject: RE: [refeds] draft charge, refeds working group on attribute

David> one uni actually has a use case where they want to technically 
David> implement the 'information duty'. The suggestion has been to 
David> welcome the user at the SP with information about the PI 
David> recieved and the purpose description.

The MDUI spec brings a nice solution: <mdui:PrivacyStatementURL>,
which is a link to the SP's privacy policy in the SP's metadata.
The IdP's consent module can pick the URL and show it to the user
when s/he consents or becomes informed on the attribute release.

That way the IdP can be sure the legal obligation to inform the user gets

Peter> One the one hand we seem to have virtually no consent 
Peter> functionality deployed (outside DK) 

In Haka federation, consent module have been mandatory for IdPs
since the very beginning. For Shib 1.3 we used proprietary, for
Shib 2 we use uApprove. Haka (unlike is a 
distributed Shib federation, not hub-and-spoke.

Peter>and little hope of this fact changing fast.

The eduGAIN Data protection good practice profile relies on IdPs having
a consent module in place.