[OpenID] Community Reputation Services

Nate Klingenstein ndk at internet2.edu
Thu May 22 09:04:34 UTC 2008 

Dick,

Most universities can't send out students' grades or other sensitive  
information via email, as counsel and AACRAO judged it to be a  
potential FERPA violation, sooo...

That aside, it's still an interesting parallel, given that  
historically universities have always provided email services for  
every member of the organization.  Students have always been largely  
free to forward their mail to whomever they want, or transcribe it on  
their local bathroom stall.  That's been their choice.

Some schools are now outsourcing email entirely, though.  In fact,  
they sometimes do so using Shibboleth to leverage campus identities  
for email as a service.  Is removing that choice by only operating  
outsourced email fundamentally bad?

Well, there are the FERPA risks and occasional subpoenas.  Public  
universities often comply with open records laws, which impose  
requirements on data retention.  Some people are worried about these  
issues, and others think they're no problem.  They haven't been  
tested in vitro yet.  Here's a recent article:

http://www.insidehighered.com/news/2008/03/21/privacy

It's a tough choice for a lot of schools.  However, email is -- or,  
at least, it should be -- fundamentally different from identity.   
Email is an application.  Federated identity plumbs many applications  
with lots of different data about individuals.

The quality of that data matters for some applications, particularly  
the ones involving financial transactions.  If, for example, someone  
sets up an open proxy in an IP-address based access control scheme,  
the university's often the one that gets fined/sued.  Not fun, so  
we'd like to do better than that.

Check out university, bank, and corporate password reset policies,  
for the ones that don't require some form of token.  You'll find them  
to differ from what your average email provider does.

Take care,
Nate.

> Curious how you determine the reputation of the email provider for  
> your users.
> Email contains very sensitive, private information and likely falls  
> under the same privacy laws and FERPA.
>
> I don't see alot of difference between an OpenID Provider and an  
> Email Provider.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080522/bfdcc944/attachment-0002.htm>

More information about the general mailing list