Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
Danny Mayer <mayer@pdmconsulting.net> Sat, 13 November 2021 15:36 UTC
Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9083A15DA for <scim@ietfa.amsl.com>; Sat, 13 Nov 2021 07:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.23
X-Spam-Level:
X-Spam-Status: No, score=-5.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-3.33, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFapy0ZfXSsf for <scim@ietfa.amsl.com>; Sat, 13 Nov 2021 07:36:38 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA6ED3A15D7 for <scim@ietf.org>; Sat, 13 Nov 2021 07:36:36 -0800 (PST)
Received: from [192.168.1.193] (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4Hs01F3l26zMNRb; Sat, 13 Nov 2021 15:36:33 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------3Yews228b6E2tBD0Tr3dpG2N"
Message-ID: <ed126b67-aff7-0867-2e4b-ec07aed8d366@pdmconsulting.net>
Date: Sat, 13 Nov 2021 10:36:32 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: "Janelle Allen (janelall)" <janelall=40cisco.com@dmarc.ietf.org>, "scim@ietf.org" <scim@ietf.org>
References: <CO1PR11MB48024D5296FAF8B347454D1ACD949@CO1PR11MB4802.namprd11.prod.outlook.com>
From: Danny Mayer <mayer@pdmconsulting.net>
In-Reply-To: <CO1PR11MB48024D5296FAF8B347454D1ACD949@CO1PR11MB4802.namprd11.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/ZsTchw5zlcd54zg199NW423hXJ0>
Subject: Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2021 15:36:43 -0000
On 11/11/21 10:13 AM, Janelle Allen (janelall) wrote: > Hi there, > > In the IETF session today, Phil mentioned privacy and the handling of > PII. A lot of legislation has occurred since SCIM 2.0. A question to > this WG, should we be revisiting the core schema and marking some > attributes as potentially containing PII? > > This caused me to ponder should we be thinking of modifying the core > schema to identify which attributes may carry PII eg: the complex name > attribute has the potential to carry PII, should we consider adding a > new item as a peer to “mutability” such as “containsPII: true/false”?. > Or expand on the returned element such as returned: “restrictedPII”? > or any other unmentioned method of addressing PII? > I'd like to understand the use case for even providing PII data in SCIM. Most of the data that the SCIM Schemas currently are offering (see RFC7643) are not PII (though maybe ims and photos might be considered PII - Section 4.1.2). Having dealt with HR systems and their API's I know that there is only an extremely limited subset of data that should ever be made available to any outside system and you don't generally want to host it on a management platform if it is PII. I didn't attend the meeting so I don't know what the discussion was about. I personally feel that PII should NOT be made available through SCIM, but I'm willing to be persuaded otherwise as long as PII protections can be defined and required in any resulting document. Danny
- [scim] Discussion Item: Personally Identifiable I… Janelle Allen (janelall)
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Phillip Hunt
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Paulo Jorge N. Correia (paucorre)
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Radovan Semancik
- Re: [scim] Discussion Item: Personally Identifiab… Janelle Allen (janelall)
- Re: [scim] Discussion Item: Personally Identifiab… Matt Peterson (mpeterso)