Refeds


Subject Re: (fwd) New version of eduPerson now entering last call
From "Erdos, Marlena" <marlena_erdos@xxxxxxxxxxx>
Date Fri, 21 Jun 2013 18:58:57 +0000

Keith,

>Harmonizing is different than equating. There was certainly resistance on
>the last conference call to making the two into one. I still see value in
>harmonizing to the extent we can. To me harmonization operationally would
>mean that SPs could accept either eduPersonUniqueId or
>swissEduPersonUniqueID as long as the identifier characteristics they
>cared about were shared by both
>


I'm find with "harmonizing" as you state it -- I just want to keep
separate OIDs. Last time I looked not everyone felt this way.


> What's more, I'd also like to see a reference to RFC2822 for syntax for
>ePUID (the address spec portion of the RFC in particular).


I'd like this too :-).

Thx,
Marlena






-----Original Message-----
From: Keith Hazelton <hazelton@xxxxxxxxxxxxx>
Reply-To: KEITH HAZELTON <hazelton@xxxxxxxx>
Date: Friday, June 21, 2013 14:42 PM
To: REFeds <refeds@xxxxxxxxxx>, Marlena Erdos <Marlena_Erdos@xxxxxxxxxxx>
Subject: Re: [refeds] (fwd) New version of eduPerson now entering last call

>On 06/21/13, "Erdos, Marlena"  wrote:
>> 
>> Mark,
>> 
>> > I believe there is a lot of support for harmonizing ePUID with the
>>SWITCH swissEduPersonUniqueID if that helps.
>> 
>> There wasn't this support evident on the most recent Mace-dir call.
>
>Harmonizing is different than equating. There was certainly resistance on
>the last conference call to making the two into one. I still see value in
>harmonizing to the extent we can. To me harmonization operationally would
>mean that SPs could accept either eduPersonUniqueId or
>swissEduPersonUniqueID as long as the identifier characteristics they
>cared about were shared by both. As I see it, they share many of the
>characteristics that SPs might find compelling:
>
>ePUID and swissEPUID are both persistent, non-reassignable, opaque and
>scoped. 
>
>What's more, I'd also like to see a reference to RFC2822 for syntax for
>ePUID (the address spec portion of the RFC in particular). Note that does
>not in any way imply that ePUID is an email address.
>
> --Keith
>
>>One things I raised (which I believe Keith Hazelton is looking into) is
>>"what other 'unique ids' are out there." My take is that we should see
>>what the spaceof unique ids is before 'harmonizing.'
>
>I haven't seen any other candidate unique ids that share the full set of
>characteristics that ePUID and swissEPUID share. Can anyone suggest one?
>
> --Keith
>
>> (Also, during the call I brought up the aspects of the Swiss Unique Id
>>that I found not particularly harmonious with ePUID :-). But since this
>>is a side topic to thread, I don't think getting into specifics here is
>>useful. (Mark: Please check out the mace-dir minutes when you have a
>>chance....))
>> 
>> 
>> Thank you,
>> Marlena Erdos
>> 
>> 
>> Harvard University Information Technology
>> Innovation & Architecture
>> Senior Technologist
>> (Mobile) &#43;1 (617) 872-9736
>> 1033 Mass Ave, 4th Floor
>> Cambridge, MA 02138
>> 
>> 
>> 
>> 
>> 
>> 
>> From: "Jones, Mark B" <Mark.B.Jones@xxxxxxxxxxx
>><Mark.B.Jones@xxxxxxxxxxx>>
>> Date: Friday, June 21, 2013 10:28 AM
>> To: Hildegunn Vada <hildegunn.vada@xxxxxxxxxx
>><hildegunn.vada@xxxxxxxxxx>>, Andrew Cormack <Andrew.Cormack@xxxxxx
>><Andrew.Cormack@xxxxxx>>
>> Cc: Mikael Linden <Mikael.Linden@xxxxxx <Mikael.Linden@xxxxxx>>, Leif
>>Johansson <leifj@xxxxxxxx <leifj@xxxxxxxx>>, "Cantor, Scott"
>><cantor.2@xxxxxxx <cantor.2@xxxxxxx>>, "refeds@xxxxxxxxxx
>><refeds@xxxxxxxxxx>" <refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>>
>> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last
>>call
>> 
>> 
>> 
>> 
>> I believe there is a lot of support for harmonizing ePUID with the
>>SWITCH swissEduPersonUniqueID if that helps.
>>https://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
>> 
>> 
>> 
>> In my opinion ePUID is very different from the schacPersonalUniqueID
>>attribute. ePUID is not at all intended to hold a national ID, and the
>>format of the values are very different.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> From: Hildegunn Vada [mailto:hildegunn.vada@xxxxxxxxxx
>><hildegunn.vada@xxxxxxxxxx>]
>> Sent: Friday, June 21, 2013 2:08 AM
>> To: Andrew Cormack
>> Cc: Mikael Linden; Jones, Mark B; Leif Johansson; Cantor, Scott;
>>refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
>> Subject: Re: [refeds] (fwd) New version of eduPerson now entering last
>>call
>> 
>> 
>> 
>> 
>> 
>> Hi all,
>> 
>> 
>> 
>> 
>> and thank you for the feedback on my question. I understand it's not an
>>easy one, and that there are many considerations and different
>>views/traditions/legislations when it comes to such an identifier. In
>>Norway, we still find a scoped, multivalued attribute for this kind of
>>information very useful, and will probably recommend the use of Schac
>>attribute schacPersonalUniqueID. Any further discussions around ePUID
>>(or another attribute) would be very interesting.
>> 
>> 
>> 
>> 
>> 
>> Kind regards,
>> 
>> 
>> Hildegunn Vada
>> 
>> 
>> 
>> 
>> 13. juni 2013 kl. 16:48 skrev Andrew Cormack <Andrew.Cormack@xxxxxx
>><Andrew.Cormack@xxxxxx>>:
>> 
>> 
>> 
>> 
>> 
>> 
>> UK law (and enforcement) distinguishes directly identifying and
>>indirectly identifying information. So here ePUID will only be regarded
>>as personal data when held by someone who can link it to the flesh and
>>blood individual. The originating IdP usually can do that, of course, as
>>can any SP that asks for directly identifying information as well. Hence
>>our law actually gives an incentive to SPs to use pseudonyms.
>> 
>> The Directive isn't clear whether that's the intention or not. Other EC
>>countries don't make the distinction, which makes it harder to sell
>>identifiers such as ePITD/ePUID, unfortunately.
>> 
>> Andrew
>> 
>> --
>> Andrew Cormack
>> Chief Regulatory Adviser, Janet
>> t: &#43;44 1235 822302
>> b: https://community.ja.net/blogs/regulatory-developments
>> 
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>>not-for-profit company which is registered in England under No. 2881024
>>and whose Registered Office is at Lumen House, Library Avenue, Harwell
>>Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238
>> 
>> 
>> 
>> 
>> ________________________________________
>> From: Mikael Linden [Mikael.Linden@xxxxxx <Mikael.Linden@xxxxxx>]
>> Sent: 13 June 2013 14:20
>> To: Jones, Mark B; Leif Johansson; Cantor, Scott
>> Cc: Hildegunn Vada; refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
>> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last
>>call
>> 
>> 
>> 
>> 
>> Does email address qualify as personal data in Europe? IMO ePUID should
>>be
>> treated similarly with regard to sharing.
>> 
>> 
>> The definition is:
>> 'personal data' shall mean any information relating to an identified or
>>identifiable natural person ('data subject'); an identifiable person is
>>one who can be identified, directly or indirectly, in particular by
>>reference to an identification number or to one or more factors specific
>>to his physical, physiological, mental, economic, cultural or social
>>identity;
>> 
>> Email address, ePPN, ePUID or even ePTID is there to identify an end
>>user. It suggests that they all qualify as personal data.
>> 
>> mikael
>> 
>> -----Original Message-----
>> From: Mikael Linden [mailto:Mikael.Linden@
>><Mikael.Linden@>csc.fi(http://csc.fi)]
>> Sent: Thursday, June 13, 2013 4:29 AM
>> To: Leif Johansson; Cantor, Scott
>> Cc: Hildegunn Vada; refeds@xxxxxxxxxx <refeds@xxxxxxxxxx>
>> Subject: RE: [refeds] (fwd) New version of eduPerson now entering last
>>call
>> 
>> 
>> 
>> 
>> I don't know (or have any opinion about) weather this means that
>> eduPersonUniqueID shouldn't be used for national id numbers.
>> 
>> 
>> The current draft says eduPersonUniqueId "is meant to be freely
>>sharable, is
>> public, opaque, and..."
>> In many (European) countries a National Identification Number counts as
>> sensitive personal data. In those countries it doesn't seem a good idea
>>to
>> use NIN as ePUID.
>> 
>> Although defined as "freely sharable, public and opaque", there is
>>still the
>> possibility that ePUID qualifies as personal data in Europe and the data
>> protection laws will apply to it, as Andrew mentioned. It means that the
>> organization (IdP) "sharing it freely" may take some legal risks. The
>>risks
>> are probably smaller for an identifier that is opaque, though.
>> 
>> mikael
>> 
>> 
>> 
>> 
>> Hildegunn Vada
>> 
>> 
>> --
>> 
>> 
>> hildegunn.vada@xxxxxxxxxx <hildegunn.vada@xxxxxxxxxx>
>> 
>> 
>> Tel: &#43;47 73 55 78 31 / &#43;47 976 80 705
>> 
>> 
>> 
>> www.feide.no(http://www.feide.no) -
>>www.uninett.no(http://www.uninett.no)