Refeds


Subject Re: (fwd) New version of eduPerson now entering last call
From Keith Hazelton <hazelton@xxxxxxxxxxxxx>
Date Fri, 21 Jun 2013 13:42:31 -0500

On 06/21/13, "Erdos, Marlena"  wrote:
> 
> Mark,
> 
> > I believe there is a lot of support for harmonizing ePUID with the SWITCH swissEduPersonUniqueID if that helps. 
> 
> There wasn't this support evident on the most recent Mace-dir call. 

Harmonizing is different than equating. There was certainly resistance on the last conference call to making the two into one. I still see value in harmonizing to the extent we can. To me harmonization operationally would mean that SPs could accept either eduPersonUniqueId or swissEduPersonUniqueID as long as the identifier characteristics they cared about were shared by both. As I see it, they share many of the characteristics that SPs might find compelling: 

ePUID and swissEPUID are both persistent, non-reassignable, opaque and scoped. 

What's more, I'd also like to see a reference to RFC2822 for syntax for ePUID (the address spec portion of the RFC in particular). Note that does not in any way imply that ePUID is an email address.

 --Keith

>One things I raised (which I believe Keith Hazelton is looking into) is "what other 'unique ids' are out there." My take is that we should see what the spaceof unique ids is before 'harmonizing.'

I haven't seen any other candidate unique ids that share the full set of characteristics that ePUID and swissEPUID share. Can anyone suggest one?

 --Keith

> (Also, during the call I brought up the aspects of the Swiss Unique Id that I found not particularly harmonious with ePUID :-). But since this is a side topic to thread, I don't think getting into specifics here is useful. (Mark: Please check out the mace-dir minutes when you have a chance....))
> 
> 
> Thank you,
> Marlena Erdos
> 
> 
> Harvard University Information Technology
> Innovation & Architecture
> Senior Technologist
> (Mobile) &#43;1 (617) 872-9736
> 1033 Mass Ave, 4th Floor
> Cambridge, MA 02138
> 
> 
> 
> 
> 
> 
> From: "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx <Mark.B.Jones@xxxxxxxxxxx>>
> Date: Friday, June 21, 2013 10:28 AM
> To: Hildegunn Vada <hildegunn.vada@xxxxxxxxxx <hildegunn.vada@xxxxxxxxxx>>, Andrew Cormack <Andrew.Cormack@xxxxxx <Andrew.Cormack@xxxxxx>>
> Cc: Mikael Linden <Mikael.Linden@xxxxxx <Mikael.Linden@xxxxxx>>, Leif Johansson <leifj@xxxxxxxx <leifj@xxxxxxxx>>, "Cantor, Scott" <cantor.2@xxxxxxx <cantor.2@xxxxxxx>>, "refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>" <refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>>
> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call
> 
> 
> 
> 
> I believe there is a lot of support for harmonizing ePUID with the SWITCH swissEduPersonUniqueID if that helps. https://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
> 
> 
> 
> In my opinion ePUID is very different from the schacPersonalUniqueID attribute. ePUID is not at all intended to hold a national ID, and the format of the values are very different.
> 
> 
> 
> 
> 
> 
> 
> From: Hildegunn Vada [mailto:hildegunn.vada@xxxxxxxxxx <hildegunn.vada@xxxxxxxxxx>] 
> Sent: Friday, June 21, 2013 2:08 AM
> To: Andrew Cormack
> Cc: Mikael Linden; Jones, Mark B; Leif Johansson; Cantor, Scott; refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
> Subject: Re: [refeds] (fwd) New version of eduPerson now entering last call
> 
> 
> 
> 
> 
> Hi all,
> 
> 
> 
> 
> and thank you for the feedback on my question. I understand it's not an easy one, and that there are many considerations and different views/traditions/legislations when it comes to such an identifier. In Norway, we still find a scoped, multivalued attribute for this kind of information very useful, and will probably recommend the use of Schac attribute schacPersonalUniqueID. Any further discussions around ePUID (or another attribute) would be very interesting.
> 
> 
> 
> 
> 
> Kind regards,
> 
> 
> Hildegunn Vada
> 
> 
> 
> 
> 13. juni 2013 kl. 16:48 skrev Andrew Cormack <Andrew.Cormack@xxxxxx <Andrew.Cormack@xxxxxx>>:
> 
> 
> 
> 
> 
> 
> UK law (and enforcement) distinguishes directly identifying and indirectly identifying information. So here ePUID will only be regarded as personal data when held by someone who can link it to the flesh and blood individual. The originating IdP usually can do that, of course, as can any SP that asks for directly identifying information as well. Hence our law actually gives an incentive to SPs to use pseudonyms. 
> 
> The Directive isn't clear whether that's the intention or not. Other EC countries don't make the distinction, which makes it harder to sell identifiers such as ePITD/ePUID, unfortunately.
> 
> Andrew
> 
> --
> Andrew Cormack
> Chief Regulatory Adviser, Janet
> t: &#43;44 1235 822302
> b: https://community.ja.net/blogs/regulatory-developments
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238
> 
> 
> 
> 
> ________________________________________
> From: Mikael Linden [Mikael.Linden@xxxxxx <Mikael.Linden@xxxxxx>]
> Sent: 13 June 2013 14:20
> To: Jones, Mark B; Leif Johansson; Cantor, Scott
> Cc: Hildegunn Vada; refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call
> 
> 
> 
> 
> Does email address qualify as personal data in Europe? IMO ePUID should be
> treated similarly with regard to sharing.
> 
> 
> The definition is:
> 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
> 
> Email address, ePPN, ePUID or even ePTID is there to identify an end user. It suggests that they all qualify as personal data.
> 
> mikael
> 
> -----Original Message-----
> From: Mikael Linden [mailto:Mikael.Linden@ <Mikael.Linden@>csc.fi(http://csc.fi)]
> Sent: Thursday, June 13, 2013 4:29 AM
> To: Leif Johansson; Cantor, Scott
> Cc: Hildegunn Vada; refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last call
> 
> 
> 
> 
> I don't know (or have any opinion about) weather this means that
> eduPersonUniqueID shouldn't be used for national id numbers.
> 
> 
> The current draft says eduPersonUniqueId "is meant to be freely sharable, is
> public, opaque, and..."
> In many (European) countries a National Identification Number counts as
> sensitive personal data. In those countries it doesn't seem a good idea to
> use NIN as ePUID.
> 
> Although defined as "freely sharable, public and opaque", there is still the
> possibility that ePUID qualifies as personal data in Europe and the data
> protection laws will apply to it, as Andrew mentioned. It means that the
> organization (IdP) "sharing it freely" may take some legal risks. The risks
> are probably smaller for an identifier that is opaque, though.
> 
> mikael
> 
> 
> 
> 
> Hildegunn Vada
> 
> 
> --
> 
> 
> hildegunn.vada@xxxxxxxxxx <hildegunn.vada@xxxxxxxxxx>
> 
> 
> Tel: &#43;47 73 55 78 31 / &#43;47 976 80 705
> 
> 
> 
> www.feide.no(http://www.feide.no) - www.uninett.no(http://www.uninett.no)
begin:vcard
n:HAZELTON;KEITH;;;
fn:KEITH D HAZELTON
tel;work:608 262-0771
org:University of Wisconsin-Madison;DoIT
adr:;;1210 W. Dayton St.;Madison;WI;53706;US
email;work;internet:hazelton@xxxxxxxx
title:Sr. IT Architect
version:2.1
end:vcard