Greetings,
* Álvaro Hernández (aht@ongres.com) wrote:
> You mention that this mechanism is already approved for different
> organisations. Indeed, this is where I saw it in action and loved the idea!
> But if it is approved for third-party (from a legal perspective)
> organisations, I don't see why it would not be for other third-party
> organisations. You mention GDPR and, if anything, that they are running "on
> the main infrastructure" (i.e. the infrastructure of a separate legal
> entity, I assume the PostgreSQL Canada Association) seems like something
> which may have serious GDPR issues on its own. I understand how things are
> down when being built, but have a look just in case ;)
If you believe there's a specific GDPR concern regarding what we're
doing, it'd be great if you could help us explain more clearly what that
concern is.
> But back on topic, on what concerns my request: let's open this up to
> any third party organisation --it has already been done. I don't see why
> having "the team the ability to manage all the data" changes anything. What
> I'm requesting access to is a system for third-party authentication, similar
> to "login with Google" or any other auth provider. There's no "forced
> account delete" mechanism that I'm aware of, and there is little to no
> information sharing other than "hey, please authenticate this person and let
> me know the boolean information of whether that was successful or not"
> (optionally request name and email, as other authentication providers do,
> that is PII, but that's it). What auth providers do is a way to force delete
> a session (an authentication token, which typically expires quickly, but
> could be forcibly expired). This is optional, and in no way would force any
> deletion on the third party (it is the user who should use the third party's
> account deletion procedures).
I don't agree that we should open this up to just any third party
organization to use. There's specific, recognized, organizations, who
also run on pginfra, who have been allowed to leverage this system but
saying that, say, Google, could use it, or any other organization
represents a de-facto endorsement of those systems which isn't something
that I think we, as a project, should be doing.
> In summary: it is already opened to third parties, please help us get to
> use it too, it's a very cool thing ;)
Those are very specific third parties which have requirements set on
them through our policies, not anyone, so this argument isn't valid.
Thanks,
Stephen