Problem statement
- Service Providers outside EU/EEA (and Identity Providers in EU/EEA) must commit to the international Data protection Code of Conduct (iCoCo).
- the iCoCo is a strong commitment for a non-EU/EEA SP because they volunteer to be bound by European data protection laws
- unlike the Home Organisations and SPs in EU/EEA who are bound by the European laws anyway
- therefore, the evidence of the commitment must be strong enough
- Example dispute scenario:
- the SP admin asks his/her boss if it is OK to commit to the iCoCo. The boss says carelessly “yes”
- the next day the boss has studied the issue more, changed his/her mind and says that s/he hasn’t ever heard of the iCoCo and if s/he had s/he wouldn’t have ever allowed the organization to commit to the CoCo
Alternative solutions (from strong to weak evidence)
- The SP-organisation needs to present a paper with wet or qualified e-signature from a management level person saying “we are committed to the Code of Conduct and I’m a truly representative person of the organization”
- The manager level person needs to log in to something using his/her personal account and click a button saying “we are committed to the Code of Conduct and I’m a truly representative person of the organization”. Pressing the button is logged.
- The manager level person needs to send email to someone in eduGAIN to say “we are committed to the Code of Conduct and...
- We have what we have for the GÉANT CoCo at the moment. Only element in SAML2 metadata and a link in the privacy policy document.
Proposed solution (alternative 2)
- There is an iCoCo Staging service that is registered as an SP to relevant (non-EU/EEA) federations
- the Staging service must be able to trust the users authenticated from non-EU/EEA IdPs
- the Staging service must be able to receive sufficient PII attributes from the IdP
- The iCoCo staging service is part of or is closely coupled to the SAML2 metadata management service of an eduGAIN participant federation
- The non-EU/EEA SP goes through the following workflow to commit to the international CoCo
- The SP administrator submits the SP's SAML2 metadata to the Staging service
- A truly representative person from the Service Provider organization logs in to the Staging service selects the SP and clicks a button “we are committed to the Code of Conduct and I’m a truly representative person of the organization”. Clicking the button is logged for audit trail.
- The Staging service releases the SP's SAML2 metadata to eduGAIN Metadata service (MDS), with the Entity Category tags indicating commitment to the iCoCo
Proposed technical implementation
- policy-wise, the requirements of the Staging Service are spelled out the related Entity Category Specification as requirements for the registrar
- technically, a Staging service can be provided
- by one or several eduGAIN participant federations in Europe or beyond
- by a federation which is dedicated for registering non-European SPs to eduGAIN