Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
Phillip Hunt <phil.hunt@independentid.com> Sat, 13 November 2021 19:42 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3EE3A0A34 for <scim@ietfa.amsl.com>; Sat, 13 Nov 2021 11:42:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ColO5rquyYx for <scim@ietfa.amsl.com>; Sat, 13 Nov 2021 11:41:55 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A8973A0A39 for <scim@ietf.org>; Sat, 13 Nov 2021 11:41:55 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id m24so1153368pls.10 for <scim@ietf.org>; Sat, 13 Nov 2021 11:41:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bEmgB3PXWWUHh3ProTmlPMMFU5Ah1JJnABgjScZ0doY=; b=Ta/4h9w5QqpeJNwsdL2giI4v2vD4MvEhcbI4DSEyn4jTDhgypQhextAWs9LLfyHt2+ m0f1a3jmghnQdye7l0/SprxFW5QSAtyZFxyDJ9vZfjU0FDlNOAj+dsAmYx3IdL5qdQra jI3NdgZd+PJd9oyNJ9EU7EhQ1eCgQt4kwHO2/7tNMXEkvUNOX1BJabGImmB94RbHUugS H7L8dT3s14oXcv/3/kMPMrcWCaNizbCzpU3hO9HYwrhC+k7vPuCyOEVyFGqgDsoF2TiG w3vUqyV9Z3CipoAt+1lU3NXvkffb1jCPAZTpce283MgV5Im6rSkQaKgfxzd5Mzd45r17 +6fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bEmgB3PXWWUHh3ProTmlPMMFU5Ah1JJnABgjScZ0doY=; b=shxeO5vZJ66UA2MoXEvUhB54X25qnNzvLXhCcFVesnawMXA7rYpXkdfirVh3IEwtEm UL9GQZ0R8Ew3OtENq0fldOne77gWDLCQkxnTO3oGCaauWHu9apZ7udhFHQUJC1wMEV9a xnAaTMreQmu7PEtveddJAYeN/5IZVEsmDucFrtU2UwniGa9Pv7bOq4fl9aaWuxB0WRuN LkMx65BeHt5vWMKliBMaj0JjBUJR0+ry5pQLr6MaKUhO0eGilcdFWt/i9GMKXBE5N88P WR7/i5N9oyZVQKauvd2CcM4LyrHx19PGIBHiUuEry2BbYz8jk8GejmYm6D7da+QtraFY z/ig==
X-Gm-Message-State: AOAM532+dYah8ydJ6pk9/wba31SLv5mGTL2qd3fieMc1kWzaQv5tBGZm k2D+CcLLFAgm0uCzRj3paQ5EgQ==
X-Google-Smtp-Source: ABdhPJx+d7BdOmMPg3GBWKs7g4M8cEsKrw+WcppBnwSH+YVM4UA9HTN1LM0g9ui4snO6ZO0PaF0UOQ==
X-Received: by 2002:a17:903:1105:b0:143:a593:dc6e with SMTP id n5-20020a170903110500b00143a593dc6emr17575677plh.6.1636832513110; Sat, 13 Nov 2021 11:41:53 -0800 (PST)
Received: from smtpclient.apple (node-1w7jr9plyoqwucwjvefdi1q8f.ipv6.telus.net. [2001:569:540c:4900:94f9:db3a:588d:510f]) by smtp.gmail.com with ESMTPSA id a29sm9926542pfh.29.2021.11.13.11.41.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Nov 2021 11:41:52 -0800 (PST)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <CB1CBE7E-7D17-42E7-AD56-F95F925C6BA0@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EC6B7391-4301-45CF-A23F-7BDDD1F746B2"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Sat, 13 Nov 2021 11:41:51 -0800
In-Reply-To: <ed126b67-aff7-0867-2e4b-ec07aed8d366@pdmconsulting.net>
Cc: "Janelle Allen (janelall)" <janelall=40cisco.com@dmarc.ietf.org>, "scim@ietf.org" <scim@ietf.org>
To: Danny Mayer <mayer@pdmconsulting.net>
References: <CO1PR11MB48024D5296FAF8B347454D1ACD949@CO1PR11MB4802.namprd11.prod.outlook.com> <ed126b67-aff7-0867-2e4b-ec07aed8d366@pdmconsulting.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/iUGnhe8EqA_FVwGNlsX5zbBNIA0>
Subject: Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2021 19:42:00 -0000
Just for the group's information, the current SCIM specs do have privacy considerations sections. The confusion may be that back then, privacy considerations was not a top level table of contents items. Relevant sections in existing drafts are: RFC7644 Section 7.5 - https://datatracker.ietf.org/doc/html/rfc7644#section-7.5 RFC7643 Section 9 - https://datatracker.ietf.org/doc/html/rfc7643#section-9. This covers both sensitive data (e.g. passwords) as well as discussion on privacy. Section RFC7644 7.5.2 refers to the case I pointed out in the WG session. The HTTP POST .search method was designed to avoid passing information in request URIs that may appear in other systems such as access logs which may be seen as inappropriate. A compliant service provider implementation that allows searching of PII and sensitive data via GET should normally be returning HTTP status 403 (Forbidden) in response. While one might argue that information has already been exposed by the client, it doesn’t help to compound the problem by confirming that the infromation requested is correct. The SCIM POST Search solution I raised was the result of a “compromise” the SCIM WG had to make for PII. The SCIM WG informally raised the concerns with the HTTP WG. The HTTPbis WG has discussed the problems of searching with HTTP GET many times before. Julian Reschke presented on the issue in IETF93 (giving a good explanation of the privacy issues): https://httpwg.org/wg-materials/ietf93/ietf-93-httpbis-search.pdf Going forwards…. The issue of searching using HTTP GET has re-surfaced again with a proposal for HTTP QUERY: https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/ If we end up talking about a SCIMbis effort, we may want to include support for safe query. This would be fairly straight forward as we can take the body define in our POST search method and simply use the proposed HTTP QUERY method. Phillip Hunt @independentid phil.hunt@independentid.com > On Nov 13, 2021, at 7:36 AM, Danny Mayer <mayer@pdmconsulting.net> wrote: > > On 11/11/21 10:13 AM, Janelle Allen (janelall) wrote: > >> Hi there, >> >> In the IETF session today, Phil mentioned privacy and the handling of PII. A lot of legislation has occurred since SCIM 2.0. A question to this WG, should we be revisiting the core schema and marking some attributes as potentially containing PII? >> >> This caused me to ponder should we be thinking of modifying the core schema to identify which attributes may carry PII eg: the complex name attribute has the potential to carry PII, should we consider adding a new item as a peer to “mutability” such as “containsPII: true/false”?. Or expand on the returned element such as returned: “restrictedPII”? or any other unmentioned method of addressing PII? >> > I'd like to understand the use case for even providing PII data in SCIM. Most of the data that the SCIM Schemas currently are offering (see RFC7643) are not PII (though maybe ims and photos might be considered PII - Section 4.1.2). Having dealt with HR systems and their API's I know that there is only an extremely limited subset of data that should ever be made available to any outside system and you don't generally want to host it on a management platform if it is PII. I didn't attend the meeting so I don't know what the discussion was about. I personally feel that PII should NOT be made available through SCIM, but I'm willing to be persuaded otherwise as long as PII protections can be defined and required in any resulting document. > > Danny > > _______________________________________________ > scim mailing list > scim@ietf.org <mailto:scim@ietf.org> > https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim>
- [scim] Discussion Item: Personally Identifiable I… Janelle Allen (janelall)
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Phillip Hunt
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Paulo Jorge N. Correia (paucorre)
- Re: [scim] Discussion Item: Personally Identifiab… Danny Mayer
- Re: [scim] Discussion Item: Personally Identifiab… Radovan Semancik
- Re: [scim] Discussion Item: Personally Identifiab… Janelle Allen (janelall)
- Re: [scim] Discussion Item: Personally Identifiab… Matt Peterson (mpeterso)