First Draft of the requirements
CoCo v2 Requirements
Entity Category Attribute value:
- https://refeds.org/category/code-of-conduct/v2
Metadata Requirements for Service Providers:
- mdui:PrivacyStatementURL: PRESENT, MUST be reachable without any authN.
- mdui:DisplayName: PRESENT
- mdui:Description: PRESENT and RECOMMENDED "no longer than 140 characters"
- for all mdui elements there MUST be at least an English value with the `xml:lang="en"` attribute.
- Sirtfi:
- Entity Attribute value:
- ""
- Security Contact:
- ""
Notes from CoCo-v2-BPs
p. 12 Data Minimisation
"In the context of this Code of Conduct, under no circumstances is a Service
Provider Organisation authorised to request End User’s Attribute
revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership, genetic data, biometric data for the
purposes of uniquely identifying a natural person or data concerning health
or sex life or sexual orientation."
Q: Which means that a service provider cannot run an application that collect health data of patients?
A: No it means that for the health data collection to take place there need to be in place a specific agreement between the Home Organisation and the SP. Such agreement will take precedence and override the CoCo.
E. Information Duty Towards Home Organisation
"The Service Provider Organisation commits to provide to the Home
Organisation or its Agent at least the following information:
a. a machine-readable link to the Privacy Notice;"
Requirement: verify that the link is available in the metadata and reachable by an HTTP User-Agent.
G. Security Measures
"The Service Provider Organisation shall implement the security
measures described in the Security Incident Response Trust Framework for
Federated Identity (Sirtfi) and signal it to the Identity Provider."
H. Security Breaches
if the Service Provider Organisation suspects that one or more user accounts in the Home Organisation has been compromised, the Service Provider Organisation contacting the Home
Organisation enables the Home Organisation to take measures to limit any further damage (such as, suspend the compromised accounts) and to start the necessary actions to recover from the breach, if any.
I. Transfer of Personal Data to Third Parties
proxy use case:
if none of the Attributes received from the Home
Organisation are being passed on, e.g. when only an internal
identifier assigned by the proxy is sent to the third parties, the proxy
does not need to make sure those third parties are committed to the
Code of Conduct.
References
[CoCov2]
https://refeds.org/category/code-of-conduct/v2
[CoCov2-EC]
https://refeds.org/category/code-of-conduct/v2