Subject Fwd: Re: VO challenges - article
From Licia Florio <licia.florio@xxxxxxxxx>
Date Wed, 28 Oct 2015 15:31:35 +0100

-------- Forwarded Message --------
Subject: BOUNCE refeds@xxxxxxxxxx
Date: Wed, 28 Oct 2015 15:30:31 +0100
From: owner-refeds@xxxxxxxxxx
To: nicole.harris@xxxxxxxxx, licia.florio@xxxxxxxxx

A message from wganderson12@xxxxxxxxx was not sent to the
refeds@xxxxxxxxxx list.

* User wganderson12@xxxxxxxxx is not allowed to 'post' on list

The original message is attached for your review.

--- Begin Message ---
Subject Re: [refeds] VO challenges - article
From Warren Anderson <wganderson12@xxxxxxxxx>
Date Wed, 28 Oct 2015 09:30:23 -0500
The question was whether there was anything SPs could do to mitigate the perception of risk, regardless of whether we agree the risk is real or not. While I agree with Nick that the actual risk is similar to the risk in allowing users to send email, risk is ultimately not an objectively quantifiable metric. So I think tackling it from both ends (“have you considered that you allow similar release of attributes already without worrying about it” and “if the SP agrees to the following policies would it make you feel better about releasing these attributes”) is a useful approach.


On Oct 28, 2015, at 09:08 , Jones, Mark B <Mark.B.Jones@xxxxxxxxxxx> wrote:

> I thought the argument was that there was no risk, just a lack of
> understanding.
>> -----Original Message-----
>> From: Warren Anderson [mailto:wganderson12@xxxxxxxxx]
>> Sent: Wednesday, October 28, 2015 8:57 AM
>> To: Tom Scavo <trscavo@xxxxxxxxxxxxx>
>> Cc: Paul Caskey <pcaskey@xxxxxxxxxxxxx>; Nick Roy <nroy@xxxxxxxxxxxxx>;
>> Jones, Mark B <Mark.B.Jones@xxxxxxxxxxx>; Cantor, Scott
>> <cantor.2@xxxxxxx>; Niels van Dijk <niels.vandijk@xxxxxxxxxx>;
>> refeds@xxxxxxxxxx
>> Subject: Re: [refeds] VO challenges - article
>> My guess is that I will have great difficulty accepting the risk in a way
> that
>> satisfies IdPOs, because my research VO is NOT a legal entity and cannot
> sign
>> legally binding contracts itself. Which means that some institution that
> supports
>> the research is going to have to sign it on behalf of SPs throughout the
> VO,
>> most of which are operated at other institutions. But that is almost the
> identical
>> model to what we have now - some campus is accepting perceived risk
> induced
>> by the actions of persons they have no control over or any real interest
> in.
>> Or is there some other way for me to accept risk that would provide
> acceptable
>> reassurances.
>> On Oct 27, 2015, at 17:38 , Tom Scavo <trscavo@xxxxxxxxxxxxx> wrote:
>>> On Tue, Oct 27, 2015 at 3:24 PM, Warren Anderson
>> <wganderson12@xxxxxxxxx> wrote:
>>>> So, is there something we can have the R&S SPs do to mitigate the
> perceived
>> risk?
>>> Yes, I think there is. The current model forces the IdP operator to
>>> assume the risk but clearly the SP owner is the benefactor of
>>> attribute release. It seems to me that the SP owner must *explicitly*
>>> accept the risk of attribute release. That requires a different model,
>>> I'm afraid.
>>> Tom

--- End Message ---