IETF Logo Mail Archive

Re: [scim] Discussion Item: Personally Identifiable Information in SCIM

"Paulo Jorge N. Correia (paucorre)" <paucorre@cisco.com> Mon, 15 November 2021 10:24 UTC

Return-Path: <paucorre@cisco.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F022A3A0900 for <scim@ietfa.amsl.com>; Mon, 15 Nov 2021 02:24:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.589
X-Spam-Level:
X-Spam-Status: No, score=-9.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Wu/1eS2/; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=DOAHti0p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQHq42AWckON for <scim@ietfa.amsl.com>; Mon, 15 Nov 2021 02:24:36 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A3A83A0929 for <scim@ietf.org>; Mon, 15 Nov 2021 02:24:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26261; q=dns/txt; s=iport; t=1636971876; x=1638181476; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dxe1seUWV6Ergsxgvf7uE8bQXP2K8CRguBbsGWMHUu8=; b=Wu/1eS2/knQLlY1geYZZzvTFe1/0ek3r1vX82bN2NVSjz8QDC2tcV3xj +EQlf3/jzs48EYlUT981b0XhRhGtEGGaJms9SiuT2iLWzvEZuDPxaS/+r kit4wH3JyPCKA6d1Edka1f4Ywmo2PkPbcNj454Odh6iDRvQZoWL5+0ujN w=;
X-Files: smime.p7s : 3997
X-IPAS-Result: A0BTAAALNJJhl5xdJa1CDgodAQEBAQkBEgEFBQGCBwYBCwGBIDEjLn4sLjcxhEeDRwOFOYUOgwIDkCqKYoEuFIERA1QEBwEBAQoDAQEqAQoMBAEBhQQCgmACJTYHDgECBAEBAQEDAgMBAQEBBQEBBQEBAQIBBgQUAQEBAQEBAQGBCIU7CCUNhkIBAQEBAQIBARARChMBASQFAwsBDwIBCBEEAQEUFAMCAgIlCxQJCAIEAQ0FCAYNB4JPAYF+VwMJFhABDp8cAYE6AoofeoExgQGCCAEBBgQEgToDDUGCfxiCLgcDBoE6AYFTgTiEGgEBgweDfSccgUlEgRVDgmc+gmMBAQEBAYEYEAEHBAcBIxUWCYJiN4IujwwBaygcGwsEGAohDgEBIAINIAwLQwcEERklATYDkXIuCSKDE4lQhQaZJoEkBwODOYVMgw4ogU+UThWnLJYUH4xVk1xKAYRoAgQCBAUCDgEBBoFoAjBrcHAVO4JpURkPhkWHWxmDWYEBhBOFSnQCNgIGAQoBAQMJjRWCRgEB
IronPort-PHdr: A9a23:2c/ksBLTgIVulga6mtmcuWEyDhhOgF28FgIW659yjbVIf+zj+pn5J 0XQ6L1ri0OBRoTU7f9Iyo+0+6DtUGAN+9CN5XYFdpEfWxoMk85DmQsmDYaMAlH6K/i/aSs8E YxCWVZp8mv9P1JSHZP1ZkbZpTu56jtBcig=
IronPort-Data: A9a23:f0tUz6tVw9n2PXYCTYA923ORT+fnVDZZMUV32f8akzHdYApBs4E2v jNfGTXfaa7OOz2rZJktO86x6Alf7siEipMhHTLYn1l2SnNPpIzdWs/xwizYNXzLIpGTEUk+t ZgVMoDOJZo5QCbSrUjwP7W/8SEnjf6FTbCgAbCbYn54SAM4QS1whUs8xrQ12dNl0dW3Dl/Ws rsezyGx1HqNg1aYZUpPuvPcwP8WgMnPhd84grAfTaxB4wfVx3JLBplHK/noJnCmH4QNReDkH b6Tk7rk9DLV1hp8UdnNfpQX3aEprh8+GSDU1xK6joD72kAqShTfUc/XDdJEAatto23hc+tZl ZMd6vRcdS9zZveVwb1EDkEBe81DFfQuFIHvcCDXXfO7lyUqQ1O0qxm5JBhrVWGw0r8f7VBmr ZT0GhhUBvywr77eLIaAdwVZrp9LwP8Hk28okioIITnxVZ7KSH1YKknAzYcwMDwY3qiiERtCD iYUQWIHUfjOX/FAEgYSKZYPkvmvvX6lQj8BuQ+On/MM+kGGmWSd0JC1WDbUUsaBScMQlUGCq yebuW/4GRodcteYzFJp8Fr12bSJxny9CdlUTeDmnhJpqAX7Kmg7EBQLXlyhu/SRgU+lUNUZI EsRksYrhfdtqBT6E4KhD3VUplaDhD4zQNhZVNYk9TmLzZST51+EOGY9G2sphNsO7Z9qGmNCO kWyt9HgAzFrubmRHC7F/baPpjT0Mi8QBWMHbDUPCwoI/9elp5s85jrURddmOK+4ktOzHiv/q xiSrCk6wbUOi9Ij1qO38EjKhT6hoITIQkg+4QC/dmes/w5jTJapYoev70PG6epBKonfSFSd1 EXogOCE5+wISJqKjiHIHaMGHaqi4LCONzi0bUNT84cJpjGM/0+tY4dr52tPJh54b90+IATwS RqG0e9O36N7MHyvZK5xRou+DcU20KTtfegJsNiJNLKihbAsKWe6EDFSiV24hDq8zBd2+U0rE dLKL5n0Vyly5bFPlWLuH48gPakXKjfSLI85bar6xBSuy7aFY3j9pVwtbwbWPrlRAE9pXGzoH zt3LcCGzVBUV/fzJ3SR+o8IJldMJn8+bXwXlyC1XrPdSuaFMDh8YxM0/V/HU9c890iyvryUl kxRomcClDLCaYTvcG1mkExLZrL1RopYpnkmJyEqNlvA8yF9Otj+tftBL8FoIeVPGAlfIRhcE qRtlyKoX6Qnd9g702l1gWTV9dY7L0372WpiwQL8PmdhF3Kfe+A50oa0IlSwnMX/JiG2rsA56 6axzR/WRIFreuiRJJi+VR5b9Hvo5SJ1sLsrByPge4APEG2xoNkCA3Gg1ZcffpBTQT2dnWHy/ 1jNXn8lSRzl/tZdHC/h3vvf8e9E0oJWQyJnIoUsxersaHSBoDP8mdQovSThVWm1aV4YMZ6KP Y19p8wQ+tVe9LqWm+KQy4pW8J8=
IronPort-HdrOrdr: A9a23:aLnWsqNY9ULIfMBcT23155DYdb4zR+YMi2TDiHoRdfUFSKKlfp 6V88jzjSWE9wr4WBkb6Le90dq7MA3hHP9OkMcs1NKZPDUO11HYV72KgbGSpgEIXheOitK1tp 0QMpSWaueAd2SS5PySiGLTfrpQo6jkzEnrv5ai854Hd3ANV0gU1XYANu/tKDwOeOApP+tcKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HOVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5h+7Y23+4oowwfX+0KVjbdaKvq/VfcO0aeSAWMR4Z zxStEbTp1OAj3qDzmISFDWqnjdOX4Vmg/fIBmj8CDeSQiTfkNmNyKH7rgpKCcxonBQz+1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjwkC3fLFuI4O5l7Zvtn+90a1wax7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm00xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XWJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeIWzNV1wg1nwqUmGLEHQI/Bllu5EU+fHNcjW2AW4OSQTr/c=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.87,236,1631577600"; d="p7s'?scan'208,217";a="774095348"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Nov 2021 10:24:33 +0000
Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 1AFAOXcr013578 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 15 Nov 2021 10:24:33 GMT
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 15 Nov 2021 04:24:32 -0600
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 15 Nov 2021 04:24:32 -0600
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 15 Nov 2021 04:24:32 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h20NBUiHqtVmbbY5zkP7rUACHdRQnuD/Oy8SyHHv6e19QNp5yw8x5jrj9Ens2/sEJikmwdSZgOuH2oymW6U4HIU4QX6hBs6sGsxDcM7xdKcMXVi/UvSBrj2SaBNVJn/ttlhruIibG5zuHYgCHH09GKtdWLFUAPTj56KAYpQFU5P4yl7UMsXTvsDre6O356XNjrgl0QVIp+s3tKbSozB4O91EfAPOupYYlx5GwrgA8sttKOUt1vGJdpTQM09WXftLsMQMWUWpOoeF3TbI1Hcgc3akrQabDYfKaIcoHjWUeZ9dkRUHoDh30Fd3hzP2QTmqPa8sTBIJgsvQNyBZ+N/72A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bLybobqbXK0OKS4nm4PekvkTWp2LdAOjUFSYZBAKCmU=; b=S8wvtSfYXeSNZpPhc7/BpLeOp7VzcLOZvLPKqdVBLho4TTUOSXVbqwKT+b03sfe3u9VqAGkKjrseYndG+9yvvmRd1RiTYdxa/i2S2rDmUU774jLuXc51jWcM0q8A+C49LkID2H7AImGqC2VmHfjHwcgbvBrynA/1Z9bM5JFHMRAKCJBKWBMlHyHAeOcodfdtLDpcUSt8ARcCZgerjZCjRbuF/72BPiZb56kkRZGrWETaRmw5hHdtpNeG/waXLBRLSAWBE4GrsfowJm6H+MP/6V05Uq26NisYzwxx3xt6eCUGc0hzy6Y55tZOOgaQ2TfMRCYt8Fyqifq9FScrMdPjOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bLybobqbXK0OKS4nm4PekvkTWp2LdAOjUFSYZBAKCmU=; b=DOAHti0pSprOMOdCrFNcSwFzacSXKfXoSz0hjaZfhd9eJfhZZbgpc74Ga9nDOjLs73QcYzaFkDyzmJvuVqKhfDduP71NLPYgF7HdCt9SBDrFALqxTiU+7hViC6RVUVRfbkDfuS6MbfGTmDC2m80+r4IyMXnQyARSa0FNZiAsIUk=
Received: from MW3PR11MB4730.namprd11.prod.outlook.com (2603:10b6:303:58::8) by MW3PR11MB4729.namprd11.prod.outlook.com (2603:10b6:303:5d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.26; Mon, 15 Nov 2021 10:24:32 +0000
Received: from MW3PR11MB4730.namprd11.prod.outlook.com ([fe80::3875:b744:7446:d758]) by MW3PR11MB4730.namprd11.prod.outlook.com ([fe80::3875:b744:7446:d758%3]) with mapi id 15.20.4690.027; Mon, 15 Nov 2021 10:24:32 +0000
From: "Paulo Jorge N. Correia (paucorre)" <paucorre@cisco.com>
To: Danny Mayer <mayer@pdmconsulting.net>, Phillip Hunt <phil.hunt@independentid.com>
CC: "scim@ietf.org" <scim@ietf.org>, "Janelle Allen (janelall)" <janelall=40cisco.com@dmarc.ietf.org>
Thread-Topic: [scim] Discussion Item: Personally Identifiable Information in SCIM
Thread-Index: AQHX1wulHE7XSizfZUWgvBYR/PY/sawBmmAAgABEioCAAWbxgIABGz8w
Date: Mon, 15 Nov 2021 10:24:31 +0000
Message-ID: <MW3PR11MB4730EC0A50D149D94FD83D67CD989@MW3PR11MB4730.namprd11.prod.outlook.com>
References: <CO1PR11MB48024D5296FAF8B347454D1ACD949@CO1PR11MB4802.namprd11.prod.outlook.com> <ed126b67-aff7-0867-2e4b-ec07aed8d366@pdmconsulting.net> <CB1CBE7E-7D17-42E7-AD56-F95F925C6BA0@independentid.com> <5b794493-7fca-3098-65bc-c7ae91ab81f8@pdmconsulting.net>
In-Reply-To: <5b794493-7fca-3098-65bc-c7ae91ab81f8@pdmconsulting.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b110e83e-82e3-47f0-a49f-08d9a8221d19
x-ms-traffictypediagnostic: MW3PR11MB4729:
x-microsoft-antispam-prvs: <MW3PR11MB472993F6B7989A64BDB48BB3CD989@MW3PR11MB4729.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cGER1SeRTvEpU7L9gSFApXkOPs6Dvynl05hnnkz/qa9Y5SwAcvM/cn6+S5igU9jW8+3aSO34VOjHnlMyjY/kNcNVsZssmZtHf68kh60/rCBnSaInu5rZQDcA2djHm+hSlpXFPeLrFobT0tSKdi6PlRDtlLyJlJI/hpbcwVHGiJzP3Qnu31EuPkIEi1CdEORWveu8tXGR1GtUGrpRROaKJtiQ2BTCw0Hllx1GjEtASNYuk1B3vDV3YmZXydMXWE6X1JzqUWJ2crRUVJalHmt9Z0PQHLXqBGu9spE0m7H8C+Kz4V/mbXvfPU0RVqZItEg+d9DzCUpEjkUBl610GWt0X1oDKEyqhfVpCpUkYxFQLxRBmLIFcnE/ElU9uOqVai5JtMrgF/CHEGaFzD25B5MCgxvsn9V7moY3ZW8/ZpN94FGEgV+WuLVd7BjE0xF0FE6bu+cK6cdR7rL5sP/7Y12k34ueWjMkevuIkuttuM9rRbP2246boLnlQ9S/5VBMnA2FWoV4Hj6OJgQGbE/tdPiERM4WY0MYYtop2pzsPfCCWO2Ii/9qktafwyey1Bh/zqCvLHsKRicL2xVy5UwTpcnlvtENCoaBFdqUYKJ+q0wG0IWT6JD2P0V03hD1MZY4VbzdGlDvppEkbfMJmW1agaOCTWWbdSCmWPii7Cym4lvteINXgDEWtfm2vroQC4zY7jOtsIX0y57tJNm8TvzwTyPhPCbd1NlxW3R2elvP2UUToGmSrY7H6ZKTp0S6WaIzSRjXHln99Q7n5A6hnrRHR+i3W6fjtxCND5gFjuWGiBVpVuhDx7EkESixyacRsrp7NNpD0vtxiP7HTEC84bJ9IO8+gw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4730.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(84040400005)(38070700005)(52536014)(8676002)(38100700002)(26005)(166002)(8936002)(71200400001)(99936003)(122000001)(7696005)(83380400001)(186003)(66946007)(76116006)(4326008)(54906003)(64756008)(66476007)(66446008)(66556008)(110136005)(316002)(2906002)(86362001)(33656002)(9686003)(55016002)(966005)(6506007)(53546011)(508600001)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: NZutMgmtDGbU1FyGWFYvE7D0hJ5j97UJU6iyK+c9OggcC5YmtAg0CLWA/8fSYg6/yOaXvLb6n6AMs6/0/832o8AoL0u47k9rmPd6L0CPCcXiXuQXhfmAJlQq19wdYvN6F7bxOl1dh5IeDfOPV4dcImM4ceP5Hkip0F6Hl2W33lDNhsu4166XdhYM8mSltjhXroKCeKJgA4Pnw8CFpO1A8vtqBU5fQiuI0Soj4Muu7hP21EYf4M2+URBOopOnC8PEQ0ELGj7a75cv06eFmK/+DocMOeLqJaR2UVMnMsn7HFGjc2ZCfLrh4rHR42YDJFrIcKyRAs8sFSiRiYytjqtiqnYQznxh3R1SngI2iY/fEpKxv06RvytIkIOlhwKyjmBrpuhGm8kwLFm7XvmWdBhfJoO8t5p8NkySieO8etD/ujkDJG0nK6Q/YcaClqWvPhM3z4pk0BBinGz3+GBeAqRRgmToe2zt4LApnlUYqdh4aQRGhPnIUb/YOVhfPq3lIZwRgh7xoxB3fpyT4FOwLgtixBbk4TUtWucAdkpKr0ZRaZjucHIKyWDSvOgY20e1NjP87G0x8fkgMEgE9VjrnN6QIPpooJ4meUffMAIx1G5Zs/bbNdEQyi2BuBItD5ci4ChLr7qneAU0ysPmAjViMnmQ/E3txJOSrOVCOVPRd4xVloIT7AGOgNCy8T3x0NoEKILl/Ex8YYxyogb3/DPggZVSUFso1WH0ZfxffcZR2hv4AfJvjVqgu1q2S4AGtboGYMRxUegvqGeuEOIUgllRYXyAu6MneT7XnuFZ97toUWTnfSA054+hbL82m0wk8WDbScioLkp11wsxQlcrVY0TfgH9YyoM+mtH+S50pjyo1frsWzpICn8srphnBYV0moeJ4bf3MkYJUIFSF9SePRdEEFjuLnSGfGw7pFeF9qWipY1fjldN/YYPq+w9huCNnktpJashRt9f9okiSn0E6vxc2PLg9CtrgqJz3KI23afnDCi7689uAcTKoxUdwH/Y6e6rV+QARJf+2xg+v5z+5tCR1m47WWW5oj7xlxQO8Fdy1NVVYT0eTor8/TUJBvaCHhcniKi9pMnfj7ECXKlvums/Z7AcehpWt80tjx4wdgZ6foVHwR5EfwnkjNiq/C03nFMBGqhbtuPGwGb6Qo1H2IEz4gRbhZzPwyV34e+Se3Ul7YII6O7M10SSigcRgQYAgRLLemcTt86D1L3Xs99WI4ftfcNHCUj+cbxUvzr81G2MWiU131wq7PzU3NnSNOXJqod9MlMxYXY9kf6U6MDz8Fpph/B2PFf0Hvad7zRfDcI1p7DATgVUgjHt3zLmqciO9W35U/d0kmaubmilA99wen1axkbhyNajsJP2xbSKHdNkEgZQ4TEZ0A3LDyHgEpUUIrRC9PFHBzssFGj8vU7PadiU4Tq86E1cFbm0LeqaAY+v1NiZ2p1tdTmpLafi1NKJeV4HiojgqcIRC8yz6XZg/ZA2LOfphcfAajlpmr5K5XA2CjWWzJUy5qHtkQfLNdpuG2kfYKCHAQjgjjcqnvW7lHvtt0/nuviobAL2IH8yAf4ZtTdSkCkSCtILpPtNGjZSWlD6HPxvKM+g/njOlmzJQBIXofc6kw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0024_01D7DA0A.F6ED8B90"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4730.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b110e83e-82e3-47f0-a49f-08d9a8221d19
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2021 10:24:31.8776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WBrTsqUw4X+lrurZVqEQFcu9LibCJex22QTVCQ94+9ZvOQQ2qBZiWExmb7InPvk2AluZfkFnht0UHoTRnWqprg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4729
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/-6coWHuEPNIX0OL2PphXd04qSzA>
Subject: Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 10:24:49 -0000

Danny,

Email address, phone numbers, locations, most of it is consider PII, and the what is even more problematic is when that information travels across clouds.

Many regulations like European GDPR (https://gdpr.eu/eu-gdpr-personal-data/), but not only EU, most of the geos like Canada, Singapore, etc. are creating similar legislations are controlling and monitoring what you do with PII

 

So I would say that is very very relevant that SCIM have the right mechanisms for the GEOs regulation can by enforce or not.

 

Of course this will require that some kind of privacy expert (normally Lawyer) to have a look at the RFC schemas and do recommendation if each attribute is consider PII or not.

 

Thanks,

Paulo

 

From: scim <scim-bounces@ietf.org> On Behalf Of Danny Mayer
Sent: Sunday, November 14, 2021 17:07
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: scim@ietf.org; Janelle Allen (janelall) <janelall=40cisco.com@dmarc.ietf.org>
Subject: Re: [scim] Discussion Item: Personally Identifiable Information in SCIM

 

None of this answers my basic question of why PII would be a part of SCIM. HR systems (with the exception of a few properties) and Finance systems should not be sharing PII with other systems and a management system (a SCIM client) should not be aware of that information. I can imagine that an expense system, for example, might need some additional information from an HR system (like a physical address) but is that what is needed? The other need might be a payroll system needing Bank information for direct deposit and physical address, but you want that system to act as a direct SCIM client to HR and not go through any other servers for that information.

Does this make sense? Can someone come up with actual use cases to justify PII in SCIM?

Thanks,

Danny

On 11/13/21 2:41 PM, Phillip Hunt wrote:

 

Just for the group's information, the current SCIM specs do have privacy considerations sections. The confusion may be that back then, privacy considerations was not a top level table of contents items.

 

Relevant sections in existing drafts are:

RFC7644 Section 7.5 - https://datatracker.ietf.org/doc/html/rfc7644#section-7.5

RFC7643 Section 9 - https://datatracker.ietf.org/doc/html/rfc7643#section-9. This covers both sensitive data (e.g. passwords) as well as discussion on privacy.

 

Section RFC7644 7.5.2 refers to the case I pointed out in the WG session.  The HTTP POST .search method was designed to avoid passing information in request URIs that may appear in other 

systems such as access logs which may be seen as inappropriate.

 

A compliant service provider implementation that allows searching of PII and sensitive data via GET should normally be returning HTTP status 403 (Forbidden) in response.  While one might argue that information has already been exposed by the client, it doesn’t help to compound the problem by confirming that the infromation requested is correct.

 

The SCIM POST Search solution I raised was the result of a “compromise” the SCIM WG had to make for PII. The SCIM WG informally raised the concerns with the HTTP WG.

The HTTPbis WG has discussed the problems of searching with HTTP GET many times before. 





Julian Reschke presented on the issue in IETF93 (giving a good explanation of the privacy issues):

https://httpwg.org/wg-materials/ietf93/ietf-93-httpbis-search.pdf

 

Going forwards….

 

The issue of searching using HTTP GET has re-surfaced again with a proposal for HTTP QUERY:

https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/

 

If we end up talking about a SCIMbis effort, we may want to include support for safe query.  This would be fairly straight forward as we can take the body define in our POST search method and simply use the proposed HTTP QUERY method.

 

Phillip Hunt

@independentid

phil.hunt@independentid.com <mailto:phil.hunt@independentid.com> 

 

 





On Nov 13, 2021, at 7:36 AM, Danny Mayer <mayer@pdmconsulting.net <mailto:mayer@pdmconsulting.net> > wrote:

 

On 11/11/21 10:13 AM, Janelle Allen (janelall) wrote:

Hi there,

 

In the IETF session today, Phil mentioned privacy and the handling of PII.  A lot of legislation has occurred since SCIM 2.0. A question to this WG, should we be revisiting the core schema and marking some attributes as potentially containing PII?  

This caused me to ponder should we be thinking of modifying the core schema to identify which attributes may carry PII eg: the complex name attribute has the potential to carry PII,  should we consider adding a new item as a peer to “mutability” such as “containsPII: true/false”?. Or expand on the returned element such as returned: “restrictedPII”? or any other unmentioned method of addressing PII?

 

I'd like to understand the use case for even providing PII data in SCIM. Most of the data that the SCIM Schemas currently are offering (see RFC7643) are not PII (though maybe ims and photos might be considered PII - Section 4.1.2). Having dealt with HR systems and their API's I know that there is only an extremely limited subset of data that should ever be made available to any outside system and you don't generally want to host it on a management platform if it is PII. I didn't attend the meeting so I don't know what the discussion was about. I personally feel that PII should NOT be made available through SCIM, but I'm willing to be persuaded otherwise as long as PII protections can be defined and required in any resulting document.

Danny

_______________________________________________
scim mailing list
 <mailto:scim@ietf.org> scim@ietf.org
 <https://www.ietf.org/mailman/listinfo/scim> https://www.ietf.org/mailman/listinfo/scim

 





_______________________________________________
scim mailing list
scim@ietf.org <mailto:scim@ietf.org> 
https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email