Subject Re: draft charge, refeds working group on attribute release
From David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date Wed, 13 Jul 2011 10:55:48 +0100

Hi Ingrid

this is a massive improvement over what we typically have today in the UK. You are now giving the user visibility over what is happening with his PII. However, like Andrew, I rather think that too much information is being divulged that is not essential for the performance of the task in hand. Perhaps indicating which attributes are optional and allowing choice would help.

I think it might also be good idea on the login page to have a "remind me" tick box or similar, which if clicked displays the list of attributes again to the user. Otherwise if the list is only shown the first time the user logins to an SP, and there is no easy way of discovering this again, then the user looses visibility over what PII is subsequently being released to an SP.

Other issues to consider are

i) what if the SP requires different attributes for different resources? Do you release them all initially (i.e. maximum privileges and maximum disclosure) or repeat the release cycle (i.e. increasing privileges and minimal disclosure)

ii) how to deal with attributes from multiple IdPs



On 13/07/2011 09:09, Ingrid Melve wrote:
On 11.07.2011 14:13, Andrew Cormack wrote:
Further to my last mail, I've now done a very crude mock-up of a possible attribute release notice. Visual appeal is minimal, but I hope it makes clearer what I'm trying to get at.

Comments welcome, either on the blog or here

To see a demo of what we have operational, go to

Consent/release information pops up the first time you log in, and is
then saved. Any user may go to the portal and remove consent, but this
requires knowing where to go - and is rarely done in practice. Having
the portal displaying the information transferred is mostly used when
there is a problem with authorization or authentication, to help us
pinpoint if the problem is related to the attributes or the login itself.

  PS: I realize that we might have to change some of the wording for
"consent", after the discussion on the list, but that is a longer term
policy discussion with our local Privacy Commissioner and not something
to do while I am on vacation...


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page:
Research Web site:
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5