Attribute Release. Contractual Matters

Similar documents
DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

SWITCHaai Service Description

Federated Identity Management

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Attribute Release in SWITCHaai

Federated Identity Management

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

1. General requirements

REFEDS Minutes, 22 April 2012

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

New trends in Identity Management

To make that choice, please click under privacy policy the checkbox (

GDPR and DPO. DPO and DPM. Michel Gerdes DPO DFN-CERT Services GmbH DFN-CERT Services GmbH GDPR and DPO: Slide 1

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Data Privacy Statement for myportal to go

Attribute Release Update

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

Adtech and GDPR What to consider when choosing your partner

Google Cloud & the General Data Protection Regulation (GDPR)

Shibboleth authentication for Sync & Share - Lessons learned

Impacts of the GDPR in Afnic - Registrar relations: FAQ

EGNOS and ESSP Certification. ESESA Aviation Workshop 26 th - 27 th October 2010

Privacy Policy. MIPS Website Privacy Policy. Document Information. Contact Details. Version 1.0 Version date March 2018.

Géant-TrustBroker Dynamic inter-federation identity management

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

Eight Minute Expert GDPR

Key Updates to the IPC s Survey Research Guidelines

CliniSys Website Privacy Policy

Wonde may collect personal information directly from You when You:

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

Fluid Metering, Inc. Privacy Policy

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

GÉANT-TrustBroker project overview

EUDAT - Open Data Services for Research

The GDPR Are you ready?

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

GDPR is coming in less than 2 months Are you ready?

Data Processing Agreement

1. General provisions

2. Which personal data is processed by SF Studios and from which source does the personal data originate?

Legal Notice SEPRAD Expert-Workshop 2017

eid Interoperability for PEGS WS-Federation

CEM Benchmarking Privacy Policy

Introduction. Prepared by: ICANN Org Published on: 12 January 2018

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

EU data security and privacy trends

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

EUDAT. A European Collaborative Data Infrastructure. Daan Broeder The Language Archive MPI for Psycholinguistics CLARIN, DASISH, EUDAT

PRIVACY NOTICE 1. Introduction

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

DATA PROTECTION LAWS OF THE WORLD. Germany

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

ANSI-CFP Accredited Food Protection Manager Certification Programs Education Outreach. Benefits of the ANSI-CFP Accredited Certification Programs

Data Protection and Privacy Policy PORTOBAY GROUP Version I

SAFE-BioPharma RAS Privacy Policy

Legal compliance requests for social networks, as shown by greydate.com, a mock social community network site, based on German law / EC Directives

Law Enforcement Recommended RAA Amendments and ICANN Due Diligence Detailed Version

Intexta Web Services Privacy Statement

IaaS Framework Agreements Pan-European Cloud Services ready for adoption

ENISA s Position on the NIS Directive

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Introducing Shibboleth. Sebastian Rieger

Third public workshop of the Amsterdam Group and CODECS C-ITS Deployment in Europe: Common Security and Certificate Policy

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Tucows Guide to the GDPR. March 2018

One Sector Community Limited ACN ( OSC ) Privacy Policy

Introduction to Identity Management Systems

SCALA FUND ADVISORY PRIVACY POLICY

JRA5: Roaming and Authorisation

LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»

Inspiring Insights Ltd Privacy Policy - May Important Information. 2. The data we collect and how we store it.

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

2. HDF AAI Meeting -- Demo Slides

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

GDPR and the Privacy Shield

Privacy Policy. LAST UPDATED: 23 June March 2017

Token-based Payment in Dynamic SAML-based Federations

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Towards Horizon The Enabling Users

InCommon Federation: Participant Operational Practices

Down Under Centre Employment Hub - Privacy Policy Introduction

GENERAL DATA PROTECTION REGULATION (GDPR) CLIENT INFORMATION GENERAL DATA PROTECTION REGULATION CLIENT INFORMATION

Legally-Binding Electronic Signatures with OnTask

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

GESIS Datenservice Unter Sachsenhausen Köln Fax:

Introductory guide to data sharing. lewissilkin.com

Privacy Policy and GDPR Compliance

Identity Federation Requirements

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

The types of personal information we collect and hold

Synchronoss Website Privacy Statement

Science Europe Consultation on Research Data Management

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Transcription:

Attribute Release Technical and Legal Issues Contractual Matters Wolfgang Pempe, DFN-Verein pempe@dfn.de DARIAH/DASISH AAI Workshop, 17/18 October 2013, Cologne

Overview Attribute Release Technical Issues Legal Issues CoC and other Solutions, supporting Measures Contractual Matters AAI Contracts DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 2

Attribute Release Technical Issues The Standard Situation Operationial IdP, running for a long time 10.000+ users One Attribute Filter Policy per SP Configuration requires restart of servlet container (not necessarily, but quite often) How to set up a new Attribute Filter Policy? What happens if something goes wrong? DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 3

Attribute Release Legal Issues (1) Data Protection in Germany... federal BDSG TKG TMG state LDSG LDSG LDSG LDSG home org. Local DP Reg. Local DP Reg. Local DP Reg. Local DP Reg. Local DP Reg. Local DP Reg. IdP IdP IdP IdP IdP IdP DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 4

Attribute Release Legal Issues (2) is not that easy Complex hierarchy of laws and regulations Different legal conditions depending on location of IdP (federal state and even Home Organization) IdP operator has to consult the local DPO IdP operators are reluctant to release personal data (in some cases, DPOs may be uncertain, too) DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 5

Attribute Release Solutions (1) Supporting Measures (by Fed Op) Improve & extend online documentation (Shibboleth IdP) How to configure attribute filter as reloadable resource server.xml (no interaction with servlet container necessary) More examples of Attribute Filter Policies Usage of opaque identifiers (edupersonuniqueid [draft] vs. eppn) Implementation of CoC with metadata registry (done) Promote CoC (scheduled for the next weeks with CLARIN) Promote / encourage implementation of user consent modules, esp. uapprove (comply with 4 BDSG) DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 6

Attribute Release Solutions (1) Supporting Measures (by SP Op) Promote Services The more popular a service becomes + the bigger the user community (like SSH), the more IdP Ops are willing to release personal data (e.g. to GigaMove) Implementation of CoC next slides Facilitate attribute release technically by supporting a small and unified attribute profile, for instance the CoC profile or CLARIAH Call for Action on Federated Identity Declaration of required attributes in metadata DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 7

Attribute Release Solutions (3) Code of Conduct for Service Providers (GÉANT Data Protection Code of Conduct for Service Providers in EU/EEA) SP declares conformance with EU Data Protection Directive both in a human readable (PrivacyStatementURL) and machine readable (Entity Category) way (almost) fixed maximum set of attributes, actually required attributes have to be documented in metadata Federation Op has to make sure that those requirements are met Ideally only one Attribute Filter Policy required to release attributes to a group of SPs DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 8

Attribute Release Solutions (4) CoC Entity Category (DFN-AAI metadata administration tool) DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 9

Attribute Release Solutions (5) Does the Code of Conduct make sense? Only summarizes existing law / regulations (BTW: DFN-AAI SP contract binds SP to German and EU DP law) But still helpful: Confidence-building measure: IdP operators are no lawyers and CoC makes it clearly visible that SP really cares for data protection Technically effective way to release attributes via Entity Category-based Attribute Filter Policy CoC-compliant entities are monitored by edugain and participating federations, e.g. if the Privacy Statement URL is being removed in the DFN-AAI metadata registry, the Entity Category is automatically being removed, too no attribute release DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 10

AAI Contracts DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 11

DFN Contractual Framework Services for R&E Institutions Framework Agreement ( Rahmenvertrag ) Internet VC AAI and more... Service Agreements ( Dienstvereinbarungen ) For users of DFN Internet, all other services are free. Please note: AAI Service Providers are no users DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 12

Services of the DFN-association Contracting of providers and users Operation of central technical services Development of new features or applications Organising international cooperation User support Provision of digital certificates (DFN-PKI) BUT: DFN is NOT involved in licence agreements related to information /content providers. DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 13

Central Contracting The DFN-association is the central contractual partner for all participants of DFN-AAI. Federation S1 S2 S... A1 DFN An Sn A2 A... DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 14

IdP Contract The AAI-contract is an addition to other contracts between DFN and research institutions ( just another piece of paper ). Subjects of IdP agreement: - acceptance of der DFN federation policy - acceptance of attribute schemes - commitment to meet the demands on IdM systems ( Verlässlichkeitsklassen ) - commitment (of DFN) to operate central technical services (Discovery-Service, usw.) - legal issues e.g. liability, termination, place of jurisdiction 144 IdP agreements signed DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 15

SP Contract Modification of the SWITCHaai Federation Partner Agreement Subjects of SP agreement: - acceptance of German law - acceptance of der DFN federation policy - acceptance of European data privacy laws (for US-American companies: Safe-Harbour) - legal issues e.g. liability, termination, place of jurisdiction Free of charge 131 SP agreements signed DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 16

Development of AAI contracts Contracts/entities IdPs: 144 / 127 SPs: 131 / 148 Local SPs: / 205 DARIAH / DASISH AAI Workshop, 17/18 October 2013 Cologne, Wolfgang Pempe 17

Thanks for your attention! Questions? Comments? Contact www: email: https://www.aai.dfn.de hotline@aai.dfn.de, pempe@dfn.de

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback