Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Fri, 01 Jul 2011 18:09:58 +0100

this is a different use case. The exams service is conceptually internal to the university and necessary for it to do its business. So the university if free to move user attributes between its own systems as necessary in order to perform its essential business. This is allowed under DP legislation. So no consent is needed for this use case



On 01/07/2011 10:04, Leif Johansson wrote:
Hash: SHA1

the user is not compelled to take the service. He decides he wants it
and consents to his attributes in exchange. What is wrong with that?
Surely this then removes all risk and liability from the IdP, which
appears to be one of your concerns

Of course the user may be compelled to use a service!

Several universities use online service to register for
exams for instance.

You can't possibly argue that "Then don't get a degree,
see if we care!" is a reasonable alternative to consenting
to attribute release for that service.

	Cheers Leif
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -



David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5