Re: Using postgresql.org account as an auth id on third partywebsites

On 18/9/19 9:13, Stephen Frost wrote:
> Greetings,
>
> * Álvaro Hernández (aht@ongres.com) wrote:
>>      You mention that this mechanism is already approved for different
>> organisations. Indeed, this is where I saw it in action and loved the idea!
>> But if it is approved for third-party (from a legal perspective)
>> organisations, I don't see why it would not be for other third-party
>> organisations. You mention GDPR and, if anything, that they are running "on
>> the main infrastructure" (i.e. the infrastructure of a separate legal
>> entity, I assume the PostgreSQL Canada Association) seems like something
>> which may have serious GDPR issues on its own. I understand how things are
>> down when being built, but have a look just in case ;)
> If you believe there's a specific GDPR concern regarding what we're
> doing, it'd be great if you could help us explain more clearly what that
> concern is.

     It's not really my concern, but more of a recommendation: just 
review if all is good. If data from Postgres EU is managed by 
infrastructure and staff from another organisation (PostgreSQL 
Association in Canada) there should be several issues at play like: a 
clear contract for services provision among the entities; clear policies 
on how information is exchanged (and if postgresql.org login cannot be 
opened to third parties as some data cancellation mechanisms are not in 
place, this is a red flag IMHO that those mechanisms are not in place 
right now for the EU Association); and possibly others. I'm not a GDPR 
expert, but I'd recommend to review this. It sounds to me that things 
are too intertwined between different orgs, where one is non EU. Clear 
boundaries are required. I may be of course wrong and all this is 
already in place.

>
>>      But back on topic, on what concerns my request: let's open this up to
>> any third party organisation --it has already been done. I don't see why
>> having "the team the ability to manage all the data" changes anything. What
>> I'm requesting access to is a system for third-party authentication, similar
>> to "login with Google" or any other auth provider. There's no "forced
>> account delete" mechanism that I'm aware of, and there is little to no
>> information sharing other than "hey, please authenticate this person and let
>> me know the boolean information of whether that was successful or not"
>> (optionally request name and email, as other authentication providers do,
>> that is PII, but that's it). What auth providers do is a way to force delete
>> a session (an authentication token, which typically expires quickly, but
>> could be forcibly expired). This is optional, and in no way would force any
>> deletion on the third party (it is the user who should use the third party's
>> account deletion procedures).
> I don't agree that we should open this up to just any third party
> organization to use.  There's specific, recognized, organizations, who

     Why not?

     I don't know any other third-party authentication provider that 
does impose any limitation or requisite (other than checking for legal 
existence etc).

> also run on pginfra, who have been allowed to leverage this system but
> saying that, say, Google, could use it, or any other organization
> represents a de-facto endorsement of those systems which isn't something
> that I think we, as a project, should be doing.

     Just make it clear that the system does not come with a guaranteed 
SLA if that's your concern and that's fine. Use at your own risk, no 
guarantees of availability. Fine!


>
>>      In summary: it is already opened to third parties, please help us get to
>> use it too, it's a very cool thing ;)
> Those are very specific third parties which have requirements set on
> them through our policies, not anyone, so this argument isn't valid.

     Now what you say reads to me that there are some "privileged" 
entities. I'd like to know more, why and how they are privileged. Can 
you post here that policies that you mention? I may want to apply to be 
privileged too ;P


     Thanks,

     Álvaro

-- 

Alvaro Hernandez


-----------
OnGres