Refeds


Subject RE: draft charge, refeds working group on attribute release
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Wed, 13 Jul 2011 08:53:05 +0000

> -----Original Message-----
> From: Nicole Harris [mailto:nicole.harris@xxxxxxxxxxxxxxxxx]
> Sent: 13 July 2011 09:48
> To: Andrew Cormack
> Cc: Ingrid Melve; REFEDS list
> Subject: Re: [refeds] draft charge, refeds working group on attribute
> release
> 
> Brilliant, phone the bank and solemnly explain to them your mum knows
> your date of birth and ask them to 'reset' it.

So far I've only thought about it. But one day they might upset me enough...
 
> With MasterCard SecureCode they insist on 8 digits plus with 2 numbers
> and one capital, which is plain annoying and I always forget it...but
> again use DOB simply to reset.

I did that too (and in one case requesting a password reset was sufficient to have the transaction authorised!). But since I made the password an offensive comment on the banking sector I've had no problem remembering it :)

Andrew

> Sent from my iPhone
> 
> On 13 Jul 2011, at 09:30, Andrew Cormack <Andrew.Cormack@xxxxxx> wrote:
> 
> >
> >> -----Original Message-----
> >> From: Ingrid Melve [mailto:ingrid.melve@xxxxxxxxxx]
> >> Sent: 13 July 2011 09:10
> >> To: Andrew Cormack
> >> Cc: REFEDS list
> >> Subject: Re: [refeds] draft charge, refeds working group on
> attribute
> >> release
> >>
> >> On 11.07.2011 14:13, Andrew Cormack wrote:
> >>> Further to my last mail, I've now done a very crude mock-up of a
> >> possible attribute release notice. Visual appeal is minimal, but I
> hope
> >> it makes clearer what I'm trying to get at.
> >>> http://webmedia.company.ja.net/edlabblogs/regulatory-
> >> developments/2011/07/11/explaining-attribute-release/
> >>>
> >>> Comments welcome, either on the blog or here
> >>
> >> To see a demo of what we have operational, go to
> >> http://www.feide.no/demo-english
> >>
> >> Consent/release information pops up the first time you log in, and
> is
> >> then saved. Any user may go to the portal and remove consent, but
> this
> >> requires knowing where to go - and is rarely done in practice.
> Having
> >> the portal displaying the information transferred is mostly used
> when
> >> there is a problem with authorization or authentication, to help us
> >> pinpoint if the problem is related to the attributes or the login
> >> itself.
> >>
> >>
> >> Ingrid
> >> PS: I realize that we might have to change some of the wording for
> >> "consent", after the discussion on the list, but that is a longer
> term
> >> policy discussion with our local Privacy Commissioner and not
> something
> >> to do while I am on vacation...
> >
> > Hi Ingrid
> > Sorry to disturb your holiday!
> >
> > The information I'm being given looks good. But the attributes you
> are releasing look to me like a mixture of necessary ones and ones that
> really do need consent. For example I've just tried to log in to
> Fronter, and it seems that to use that service I'm forced to release my
> full name and date of birth. I'd need a lot of convincing that Fronter
> can't provide service to me without knowing my date of birth so I feel
> I ought to have the option of refusing release of that, and probably
> some others too (i.e. refuse my consent to those releases), and still
> carry on and use the service with only the necessary ones being
> disclosed. I suspect quite a lot of current interfaces get close but
> miss that bit.
> >
> > Incidentally I don't personally care about people knowing how old I
> am, or when to buy me cake. But date of birth turns out to be the only
> "secret" you need to know to reset the password on "Verified by Visa",
> so restricting disclosure of that suddenly becomes rather important.
> Indeed since DoB turns out to be functionally equivalent to the VbV
> password, and I'm required by contract to tell my card issuer if anyone
> ever finds out my pwd, I've been tempted from time to time to inform
> them whenever someone finds out my DoB ;)
> >
> > Andrew
> >
> > PS As you may have guessed, I'm unhappy with VbV because I solemnly
> typed in a 30 character password (twice!) before discovering that
> anything more than 8 digits of entropy was a complete waste of time :(
> >
> > --
> > Andrew Cormack, Chief Regulatory Adviser, JANET(UK)
> > Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK
> > Phone: +44 (0) 1235 822302
> > Blog: http://webmedia.company.ja.net/edlabblogs/regulatory-
> developments/
> >
> > JANET, the UK's education and research network
> >
> > JANET(UK) is a trading name of The JNT Association, a company limited
> > by guarantee which is registered in England under No. 2881024
> > and whose Registered Office is at Lumen House, Library Avenue,
> > Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG