Subject Re: [MACE-Dir] eduPersonSubjectIDGUID
From Nate Klingenstein <ndk@xxxxxxxxxxxxx>
Date Fri, 23 Oct 2015 03:01:22 +0000

> This would be avoiding grouping providers to the extent possible, but instead documenting their behavior and needs on a more atomic level, allowing for much better disclosure to the user about the implications of a consent decision.

And, specifically, I keep the statistics from SWITCHaai and the recent consent data collected by at the forefront of my mind at all times.  A full 70% elected to be asked about attribute release each time in the Danish data, and SWITCHaai reported huge amounts of variation in the set of attributes each service requests, something made possible by their distribution of attribute filter policy templates.

I think this reflects a reality that we could achieve, not through homogeneity of requirements, but through having a common language to express the identity data needed to plumb all of this.  Users care far more deeply about their privacy than I had expected, and I feel an obligation to give them the right to protect their privacy as they wish.

Another piece of the proposal, #4, gives attributes some basic plaintext information explaining, to the best of our abilities, the fields expressed to providers, as well as a way to group attributes into categories for easier explanation to users, similar to what Facebook does, except distributed.

I would expect standards organizations, federations, REFEDS, and others to host attribute definitions that would be combined with the relying party’s expressed rationale.  This would give the user the maximum amount of disclosure to make the call.

Universally, I don’t know what the best or right answers here look like.  Instead, my dogma argues for a distributed identity data model that would remove many of the constraints that are built into our model today and allow deployments to experiment with brand new approaches to all this stuff — e.g. in the case of consent, how much to disclose to the user, in what shape or form — and then best practices could begin to emerge as we gained practical experience from the world trying out new ideas and seeing what works.

Take care,