Subject RE: draft charge, refeds working group on attribute release
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Wed, 13 Jul 2011 08:30:50 +0000

> -----Original Message-----
> From: Ingrid Melve [mailto:ingrid.melve@xxxxxxxxxx]
> Sent: 13 July 2011 09:10
> To: Andrew Cormack
> Cc: REFEDS list
> Subject: Re: [refeds] draft charge, refeds working group on attribute
> release
> On 11.07.2011 14:13, Andrew Cormack wrote:
> > Further to my last mail, I've now done a very crude mock-up of a
> possible attribute release notice. Visual appeal is minimal, but I hope
> it makes clearer what I'm trying to get at.
> >
> developments/2011/07/11/explaining-attribute-release/
> >
> > Comments welcome, either on the blog or here
> To see a demo of what we have operational, go to
> Consent/release information pops up the first time you log in, and is
> then saved. Any user may go to the portal and remove consent, but this
> requires knowing where to go - and is rarely done in practice. Having
> the portal displaying the information transferred is mostly used when
> there is a problem with authorization or authentication, to help us
> pinpoint if the problem is related to the attributes or the login
> itself.
> Ingrid
>  PS: I realize that we might have to change some of the wording for
> "consent", after the discussion on the list, but that is a longer term
> policy discussion with our local Privacy Commissioner and not something
> to do while I am on vacation...

Hi Ingrid
Sorry to disturb your holiday!

The information I'm being given looks good. But the attributes you are releasing look to me like a mixture of necessary ones and ones that really do need consent. For example I've just tried to log in to Fronter, and it seems that to use that service I'm forced to release my full name and date of birth. I'd need a lot of convincing that Fronter can't provide service to me without knowing my date of birth so I feel I ought to have the option of refusing release of that, and probably some others too (i.e. refuse my consent to those releases), and still carry on and use the service with only the necessary ones being disclosed. I suspect quite a lot of current interfaces get close but miss that bit.

Incidentally I don't personally care about people knowing how old I am, or when to buy me cake. But date of birth turns out to be the only "secret" you need to know to reset the password on "Verified by Visa", so restricting disclosure of that suddenly becomes rather important. Indeed since DoB turns out to be functionally equivalent to the VbV password, and I'm required by contract to tell my card issuer if anyone ever finds out my pwd, I've been tempted from time to time to inform them whenever someone finds out my DoB ;)


PS As you may have guessed, I'm unhappy with VbV because I solemnly typed in a 30 character password (twice!) before discovering that anything more than 8 digits of entropy was a complete waste of time :(

Andrew Cormack, Chief Regulatory Adviser, JANET(UK)
Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK
Phone: +44 (0) 1235 822302

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG