Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] SHIB Status call -- 6/9/2008) -- 12:00 pm EDT, 9am PDT

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] SHIB Status call -- 6/9/2008) -- 12:00 pm EDT, 9am PDT


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [Shib-Dev] SHIB Status call -- 6/9/2008) -- 12:00 pm EDT, 9am PDT
  • Date: Tue, 10 Jun 2008 11:51:11 -0400
  • Organization: The Ohio State University

> Apparently (for IANAL), within the context of EU privacy legislation
> user consent is not required *if* 'necessity' can be demonstrated (ie.
> the necessity for an Institution to release information in order to to
> fulfill their responsibility to educate you).

We call this the FERPA exception in the US. Once you open it, it's a nice
catch-all, and privacy becomes a matter of universities self-imposing
discipine. I say this knowing that some schools are still very strict about
it and some aren't.

> A further issue with 'consent' is that a user can withdraw it at any
> time, and so 'necessity' is likely to be easier to operate.

It is, but it's also too static to make collaboration work. I can't be
involved in deciding for my users whether to release identifiers to some
colleague's wiki. That has to be dynamic and up to each user to scale.

Some schools don't accept that model, which is fine, but they won't be using
their university accounts to support those use cases.

The trick to me is in figuring out how to identify those SPs vs. the average
SP that's operated by a business somewhere. This is where I think we need
tagging of SPs based on criteria that would support dynamic release. Not
sure what criteria though.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page