IETF Logo Mail Archive

Re: [scim] Discussion Item: Personally Identifiable Information in SCIM

Danny Mayer <mayer@pdmconsulting.net> Sun, 14 November 2021 17:06 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB8D73A0D62 for <scim@ietfa.amsl.com>; Sun, 14 Nov 2021 09:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.751
X-Spam-Level:
X-Spam-Status: No, score=-3.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju8viuCQT5A1 for <scim@ietfa.amsl.com>; Sun, 14 Nov 2021 09:06:42 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FD4D3A0D61 for <scim@ietf.org>; Sun, 14 Nov 2021 09:06:40 -0800 (PST)
Received: from [192.168.1.193] (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4Hsdyf1tz8zMNRc; Sun, 14 Nov 2021 17:06:34 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------E6qcA0rIj0Crrdtnhl1ugfPO"
Message-ID: <5b794493-7fca-3098-65bc-c7ae91ab81f8@pdmconsulting.net>
Date: Sun, 14 Nov 2021 12:06:33 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: "scim@ietf.org" <scim@ietf.org>, "Janelle Allen (janelall)" <janelall=40cisco.com@dmarc.ietf.org>
References: <CO1PR11MB48024D5296FAF8B347454D1ACD949@CO1PR11MB4802.namprd11.prod.outlook.com> <ed126b67-aff7-0867-2e4b-ec07aed8d366@pdmconsulting.net> <CB1CBE7E-7D17-42E7-AD56-F95F925C6BA0@independentid.com>
From: Danny Mayer <mayer@pdmconsulting.net>
In-Reply-To: <CB1CBE7E-7D17-42E7-AD56-F95F925C6BA0@independentid.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/pi6M2EDxxLdcTa8MJHsBWNupIY4>
Subject: Re: [scim] Discussion Item: Personally Identifiable Information in SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Nov 2021 17:06:47 -0000

None of this answers my basic question of why PII would be a part of 
SCIM. HR systems (with the exception of a few properties) and Finance 
systems should not be sharing PII with other systems and a management 
system (a SCIM client) should not be aware of that information. I can 
imagine that an expense system, for example, might need some additional 
information from an HR system (like a physical address) but is that what 
is needed? The other need might be a payroll system needing Bank 
information for direct deposit and physical address, but you want that 
system to act as a direct SCIM client to HR and not go through any other 
servers for that information.

Does this make sense? Can someone come up with actual use cases to 
justify PII in SCIM?

Thanks,

Danny

On 11/13/21 2:41 PM, Phillip Hunt wrote:
>
> Just for the group's information, the current SCIM specs do have 
> privacy considerations sections. The confusion may be that back then, 
> privacy considerations was not a top level table of contents items.
>
> Relevant sections in existing drafts are:
> RFC7644 Section 7.5 - 
> https://datatracker.ietf.org/doc/html/rfc7644#section-7.5
> RFC7643 Section 9 - 
> https://datatracker.ietf.org/doc/html/rfc7643#section-9. This covers 
> both sensitive data (e.g. passwords) as well as discussion on privacy.
>
> Section RFC7644 7.5.2 refers to the case I pointed out in the WG 
> session.  The HTTP POST .search method was designed to avoid passing 
> information in request URIs that may appear in other
> systems such as access logs which may be seen as inappropriate.
>
> A compliant service provider implementation that allows searching of 
> PII and sensitive data via GET should normally be returning HTTP 
> status 403 (Forbidden) in response.  While one might argue that 
> information has already been exposed by the client, it doesn’t help to 
> compound the problem by confirming that the infromation requested is 
> correct.
>
> The SCIM POST Search solution I raised was the result of a 
> “compromise” the SCIM WG had to make for PII. The SCIM WG informally 
> raised the concerns with the HTTP WG.
> The HTTPbis WG has discussed the problems of searching with HTTP GET 
> many times before.
>
> Julian Reschke presented on the issue in IETF93 (giving a good 
> explanation of the privacy issues):
> https://httpwg.org/wg-materials/ietf93/ietf-93-httpbis-search.pdf
>
> Going forwards….
>
> The issue of searching using HTTP GET has re-surfaced again with a 
> proposal for HTTP QUERY:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/
>
> If we end up talking about a SCIMbis effort, we may want to include 
> support for safe query.  This would be fairly straight forward as we 
> can take the body define in our POST search method and simply use the 
> proposed HTTP QUERY method.
>
> Phillip Hunt
> @independentid
> phil.hunt@independentid.com
>
>
>
>
>> On Nov 13, 2021, at 7:36 AM, Danny Mayer <mayer@pdmconsulting.net> wrote:
>>
>> On 11/11/21 10:13 AM, Janelle Allen (janelall) wrote:
>>
>>> Hi there,
>>> In the IETF session today, Phil mentioned privacy and the handling 
>>> of PII.  A lot of legislation has occurred since SCIM 2.0. A 
>>> question to this WG, should we be revisiting the core schema and 
>>> marking some attributes as potentially containing PII?
>>>
>>> This caused me to ponder should we be thinking of modifying the core 
>>> schema to identify which attributes may carry PII eg: the complex 
>>> name attribute has the potential to carry PII,  should we consider 
>>> adding a new item as a peer to “mutability” such as “containsPII: 
>>> true/false”?. Or expand on the returned element such as returned: 
>>> “restrictedPII”? or any other unmentioned method of addressing PII?
>>
>> I'd like to understand the use case for even providing PII data in 
>> SCIM. Most of the data that the SCIM Schemas currently are offering 
>> (see RFC7643) are not PII (though maybe ims and photos might be 
>> considered PII - Section 4.1.2). Having dealt with HR systems and 
>> their API's I know that there is only an extremely limited subset of 
>> data that should ever be made available to any outside system and you 
>> don't generally want to host it on a management platform if it is 
>> PII. I didn't attend the meeting so I don't know what the discussion 
>> was about. I personally feel that PII should NOT be made available 
>> through SCIM, but I'm willing to be persuaded otherwise as long as 
>> PII protections can be defined and required in any resulting document.
>>
>> Danny
>>
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>
>
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email