Date: Thu, 28 Mar 2024 09:41:40 +0000 (UTC)
Message-ID: <112977014.33.1711618900745@wiki-prod.refeds.org>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_32_1948274.1711618900743"
------=_Part_32_1948274.1711618900743
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
CoCo v1 vs v2
CoCo v1 vs v2
This page summarises the key commonalities and differences of GE=
ANT CoCo ver 1.0 and 2.0 draft (as per 10 Jan 2019).
Note that this document is=
historical and does not cover the final CoCo ver 2.0 |
This page is non-normative and does not present exhaustive analysis of t=
he CoCo versions. For complete analysis, the reader is encouraged to study =
the CoCos in detail. It is still believed this page is useful as a quick ov=
erview.
Commonalities of =
CoCo 1.0 and 2.0 (draft)
- Both are binding agreements for the Service Provider that has committed=
to it.
- They both consist of 17-18 clauses which express the what the service p=
rovider is committing to. The reader can observe many similarities between =
the clauses.
- They both use similar SAML metadata constructs (Entity category, Reques=
tedAttributes, mdui:PrivacyStatementURL, mdui:DisplayName, mdui:Description=
)
Differences be=
tween CoCo 1.0 and 2.0 (draft)
- CoCo 1.0 is based on the Data Protect=
ion Directive and CoCo 2.0 on the GDPR which replaced the directive in 25 May 2018.
- CoCo 2.0 is more descriptive, it explains how the law should be interpr=
eted in the context of attribute release in an R&E identity federation =
(e.g. what the attributes can be used for, how long they can be stored, etc=
)
- CoCo 2.0, after having been approved by the data protection authorities=
, justifies attribute release out of EU, if the SP has committed to it prop=
erly. This means also non-EU/EEA SPs can commit to it.
- CoCo 2.0 better serves the needs of international organisations (such a=
s CERN and EMBL)
- CoCo 2.0 introduces a CoCo monitoring body, as required by GDPR
- CoCo 2.0 requires the SP to commit to SIRTFI, too
- Some of the material that is non-normative in CoCo 1.0 is made normativ=
e in CoCo 2.0, as suggested by the authorities (e.g. Privacy Policy templat=
e, handling non-compliance)
- SPs can make use of the CoCo also for receiving attributes from Attribu=
te Providers (not only Identity Providers)
------=_Part_32_1948274.1711618900743--