Refeds


Subject Re: VO challenges - article
From Nick Roy <nroy@xxxxxxxxxxxxx>
Date Tue, 27 Oct 2015 16:45:18 +0000

I think the actual risk boils down to the continued relevance of institutional IT as a service, but institutional IT providers don't see it that way, and by the time they do, it will be too late.



The problem is that the reward is something that (primarily faculty and graduate students) get if their institution takes the (perceived, incorrectly I think) 'risk.'  The perceived 'risk,' in the US, in the case of R&S, seems to be based on some combination of fear and extreme risk aversion on the part of IT departments and possibly registrars, although I suspect many IT departments never get as far as having a conversation with the registrars.

These attributes are all FERPA directory data for any reasonable interpretation of FERPA.  People send plaintext email, over unencrypted channels, all day long with their email address (name identifier, usually) and displayName in it, with no discussion of risk of attribute release.  These things are required to make email work.  In addition to those things, ePPN and _maybe_ eduPersonScopedAffiliation are needed to make common R&S applications work.  How is that different from email? We require people to send email as part of their job every day, and there are no discussions about hiding someone's identity or asking them to consent to release of their displayName every time they click "send."

Nick

On 10/27/15, 10:33 AM, "Paul Caskey" <pcaskey@xxxxxxxxxxxxx> wrote:

>I agree with that, but would just point out that many IdPs fail to release attributes not because they are recalcitrant, lazy, or anything else, but that the culture common to many institutions (and CIOs) is that taking the risk of automated release (managed by a party that is legally blameless) is not justified by the benefits.
>
>So, continuing to whine to IT folks about the attribute release problem isn’t going to fix it IMHO.  We need to address the risk/reward argument and drive the conversation in other administrative areas of the institution (registrars, HR, etc).
>
>
>
>
>
>
>On 10/27/15, 10:39 AM, "trscavo@xxxxxxxxx on behalf of Tom Scavo" <trscavo@xxxxxxxxx on behalf of trscavo@xxxxxxxxxxxxx> wrote:
>
>>On Tue, Oct 27, 2015 at 10:04 AM, Cantor, Scott <cantor.2@xxxxxxx> wrote:
>>>
>>> IdP has a broader functional scope in SAML than just authentication. Once you have a proxy IdP that's doing all the real work of attributes and provisioning and so forth, the small bit left is easy to replace with a commodity.
>>
>>+1
>>
>>I think what you're saying (and I strongly agree) that the
>>authentication providers will whither while the attribute providers
>>will flourish.
>>
>>Tom