Re: Using postgresql.org account as an auth id on third party websites

On 18/9/19 9:13, Stephen Frost wrote:
> Greetings,
>
> * Álvaro Hernández (aht(at)ongres(dot)com) wrote:
>>     You mention that this mechanism is already approved for different
>> organisations. Indeed, this is where I saw it in action and loved the idea!
>> But if it is approved for third-party (from a legal perspective)
>> organisations, I don't see why it would not be for other third-party
>> organisations. You mention GDPR and, if anything, that they are running "on
>> the main infrastructure" (i.e. the infrastructure of a separate legal
>> entity, I assume the PostgreSQL Canada Association) seems like something
>> which may have serious GDPR issues on its own. I understand how things are
>> down when being built, but have a look just in case ;)
> If you believe there's a specific GDPR concern regarding what we're
> doing, it'd be great if you could help us explain more clearly what that
> concern is.

    It's not really my concern, but more of a recommendation: just
review if all is good. If data from Postgres EU is managed by
infrastructure and staff from another organisation (PostgreSQL
Association in Canada) there should be several issues at play like: a
clear contract for services provision among the entities; clear policies
on how information is exchanged (and if postgresql.org login cannot be
opened to third parties as some data cancellation mechanisms are not in
place, this is a red flag IMHO that those mechanisms are not in place
right now for the EU Association); and possibly others. I'm not a GDPR
expert, but I'd recommend to review this. It sounds to me that things
are too intertwined between different orgs, where one is non EU. Clear
boundaries are required. I may be of course wrong and all this is
already in place.

>
>>     But back on topic, on what concerns my request: let's open this up to
>> any third party organisation --it has already been done. I don't see why
>> having "the team the ability to manage all the data" changes anything. What
>> I'm requesting access to is a system for third-party authentication, similar
>> to "login with Google" or any other auth provider. There's no "forced
>> account delete" mechanism that I'm aware of, and there is little to no
>> information sharing other than "hey, please authenticate this person and let
>> me know the boolean information of whether that was successful or not"
>> (optionally request name and email, as other authentication providers do,
>> that is PII, but that's it). What auth providers do is a way to force delete
>> a session (an authentication token, which typically expires quickly, but
>> could be forcibly expired). This is optional, and in no way would force any
>> deletion on the third party (it is the user who should use the third party's
>> account deletion procedures).
> I don't agree that we should open this up to just any third party
> organization to use. There's specific, recognized, organizations, who

    Why not?

    I don't know any other third-party authentication provider that
does impose any limitation or requisite (other than checking for legal
existence etc).

> also run on pginfra, who have been allowed to leverage this system but
> saying that, say, Google, could use it, or any other organization
> represents a de-facto endorsement of those systems which isn't something
> that I think we, as a project, should be doing.

    Just make it clear that the system does not come with a guaranteed
SLA if that's your concern and that's fine. Use at your own risk, no
guarantees of availability. Fine!

>
>>     In summary: it is already opened to third parties, please help us get to
>> use it too, it's a very cool thing ;)
> Those are very specific third parties which have requirements set on
> them through our policies, not anyone, so this argument isn't valid.

    Now what you say reads to me that there are some "privileged"
entities. I'd like to know more, why and how they are privileged. Can
you post here that policies that you mention? I may want to apply to be
privileged too ;P

    Thanks,

    Álvaro

--

Alvaro Hernandez

-----------
OnGres