Subject Re: draft charge, refeds working group on attribute release
From Nicole Harris <nicole.harris@xxxxxxxxxxxxxxxxx>
Date Wed, 13 Jul 2011 09:48:03 +0100

Brilliant, phone the bank and solemnly explain to them your mum knows your date of birth and ask them to 'reset' it. 

With MasterCard SecureCode they insist on 8 digits plus with 2 numbers and one capital, which is plain annoying and I always forget it...but again use DOB simply to reset. 

Sent from my iPhone

On 13 Jul 2011, at 09:30, Andrew Cormack <Andrew.Cormack@xxxxxx> wrote:

>> -----Original Message-----
>> From: Ingrid Melve [mailto:ingrid.melve@xxxxxxxxxx]
>> Sent: 13 July 2011 09:10
>> To: Andrew Cormack
>> Cc: REFEDS list
>> Subject: Re: [refeds] draft charge, refeds working group on attribute
>> release
>> On 11.07.2011 14:13, Andrew Cormack wrote:
>>> Further to my last mail, I've now done a very crude mock-up of a
>> possible attribute release notice. Visual appeal is minimal, but I hope
>> it makes clearer what I'm trying to get at.
>> developments/2011/07/11/explaining-attribute-release/
>>> Comments welcome, either on the blog or here
>> To see a demo of what we have operational, go to
>> Consent/release information pops up the first time you log in, and is
>> then saved. Any user may go to the portal and remove consent, but this
>> requires knowing where to go - and is rarely done in practice. Having
>> the portal displaying the information transferred is mostly used when
>> there is a problem with authorization or authentication, to help us
>> pinpoint if the problem is related to the attributes or the login
>> itself.
>> Ingrid
>> PS: I realize that we might have to change some of the wording for
>> "consent", after the discussion on the list, but that is a longer term
>> policy discussion with our local Privacy Commissioner and not something
>> to do while I am on vacation...
> Hi Ingrid
> Sorry to disturb your holiday!
> The information I'm being given looks good. But the attributes you are releasing look to me like a mixture of necessary ones and ones that really do need consent. For example I've just tried to log in to Fronter, and it seems that to use that service I'm forced to release my full name and date of birth. I'd need a lot of convincing that Fronter can't provide service to me without knowing my date of birth so I feel I ought to have the option of refusing release of that, and probably some others too (i.e. refuse my consent to those releases), and still carry on and use the service with only the necessary ones being disclosed. I suspect quite a lot of current interfaces get close but miss that bit.
> Incidentally I don't personally care about people knowing how old I am, or when to buy me cake. But date of birth turns out to be the only "secret" you need to know to reset the password on "Verified by Visa", so restricting disclosure of that suddenly becomes rather important. Indeed since DoB turns out to be functionally equivalent to the VbV password, and I'm required by contract to tell my card issuer if anyone ever finds out my pwd, I've been tempted from time to time to inform them whenever someone finds out my DoB ;)
> Andrew
> PS As you may have guessed, I'm unhappy with VbV because I solemnly typed in a 30 character password (twice!) before discovering that anything more than 8 digits of entropy was a complete waste of time :(
> --
> Andrew Cormack, Chief Regulatory Adviser, JANET(UK)
> Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK
> Phone: +44 (0) 1235 822302
> Blog:
> JANET, the UK's education and research network
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG